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Preface 



This volume constitutes the proceedings of the 2nd International Joint Con- 
ference on Automated Reasoning (IJCAR 2004) held July 4-8, 2004 in Cork, 
Ireland. IJCAR 2004 continued the tradition established at the first IJCAR in 
Siena, Italy in 2001, which brought together different research communities work- 
ing in automated reasoning. The current IJCAR is the fusion of the following 
conferences: 

CADE: The International Conference on Automated Deduction, 
CALCULEMUS: Symposium on the Integration of Symbolic Computation 
and Mechanized Reasoning, 

Fro CoS: Workshop on Frontiers of Combining Systems, 

FTP: The International Workshop on First-Order Theorem Proving, and 
TABLEAUX: The International Conference on Automated Reasoning with 
Analytic Tableaux and Related Methods. 

There were 74 research papers submitted to IJCAR as well as 12 system 
descriptions. After extensive reviewing, 26 research papers and 6 system de- 
scriptions were accepted for presentation at the conference and publication in 
this volume. In addition, this volume also contains papers from the three invited 
speakers and a description of the CADE ATP system competition. 

We would like to acknowledge the enormous amount of work put in by the 
members of the program committee, the various organizing and steering com- 
mittees, the IJCAR officials, the invited speakers, and the additional referees 
named on the following pages. We would also like to thank Achim Brucker and 
Barbara Geiser for their help in producing this volume. 



May 2004 



David Basin, Michael Rusinowitch 




VI Organization 



Conference Chair and Local Organization 

Toby Walsh (UCC, Ireland) 

Barry O’Sullivan (UCC, Ireland) 



Program Committee Chairs 

David Basin (ETH Ziirich, Switzerland) 

Michael Rusinowitch (LORIA and INRIA Lorraine, France) 



Program Committee 

Alessandro Armando 
Franz Baader 
Christoph Benzmiiller 
Armin Biere 
Maria Paola Bonacina 
Ricardo Caferra 
Marta Cialdea Mayer 
Nachum Derslrowitz 
David Dill 
Amy Felty 
Rajeev Gore 
Bernhard Gramlich 
Philippe de Groote 
Reiner Halrnle 
Andreas Herzig 
Ian Horrocks 
Jieh Hsiang 
Deepak Kapur 
Claude Kirclmer 
Reinlrold Letz 
Chris Lynch 
Aart Middeldorp 
Hans Jurgen Ohlbaclr 
Paliatlr Narendran 
Tobias Nipkow 
Leszek Pacholski 
Frank Pfenning 
David Plaistecl 
Roberto Sebastiani 



University of Genoa, Italy 
TU Dresden, Germany 
Saarland University, Germany 
ETH Zurich, Switzerland 
Universita clegli Studi di Verona, Italy 
LEIBNIZ-IM AG , France 
University of Rome, Italy 
Tel Aviv University, Israel 
Stanford University, USA 
University of Ottawa, Canada 
ANU Canberra, Australia 
TU Wien, Austria 
INRIA, France 
Chalmers University, Sweden 
IRIT, France 

University of Manchester, UK 
National Taiwan University, Taiwan 
University of New Mexico, USA 
LORIA and INRIA Lorraine, France 
TU Munchen, Germany 
Clarkson University, USA 
University of Innsbruck, Austria 
LMU Munchen, Germany 
SUNY Albany, USA 
TU Munchen, Germany 
Wroclaw University, Poland 
Carnegie Mellon University, USA 
University of North Carolina, USA 
University of Trento, Italy 




Organization 



VII 



John Slaney 

Viorica Sofronie-Stokkermans 
Ashish Tiwari 
Ralf Treinen 
Andrei Voronkov 
Wolfgang Windsteiger 

Invited Speakers 



ANU Canberra, Australia 
Max-Planck-Institut, Germany 
SRI International, USA 
ENS Cachan, France 
University of Manchester, UK 
RISC Linz, Austria 



Georg Gottlob (TU Wien, Austria) 

Jose Meseguer (University of Illinois at Urbana-Champaign, USA) 
Volker Weispfenning (University of Passau, Germany) 



IJCAR Officials 

Conference Chair: Toby Walsh (UCC, Ireland) 

Program Committee Chairs: 

David Basin (ETH Zurich, Switzerland) 

Michael Rusinowitch (LORIA and INRIA Lorraine, France) 

Workshop Chair: Peter Baumgartner (Max-Planck-Institut, Germany) 
Tutorial Chair: William Farmer (McMaster University, Canada) 

Publicity Chair: 

Maria Paola Bonacina (Universita degli Studi di Verona, Italy) 

IJCAR Steering Committee: 

Alessandro Armando (University of Genoa, Italy) 

David Basin (ETH Zurich, Switzerland) 

Christoph Benzmiiller (Saarland University, Germany) 

Maria Paola Bonacina, Coordinator (Universita degli Studi di Verona, Italy) 
Ulrich Furbaclr (University of Koblenz-Landau, Germany) 

Reiner Hahnle (Chalmers University, Sweden) 

Fabio Massacci (University of Trento, Italy) 

Michael Rusinowitch (LORIA and INRIA Lorraine, France) 

Toby Walsh (UCC, Ireland) 

Local Organization: Barry O’Sullivan (UCC, Ireland) 

Web page: Bralrim Hniclr (UCC, Ireland) 

Registration: Eleanor O’Hanlon (UCC, Ireland) 

IJCAR Sponsors 

IJCAR gratefully acknowledges the sponsorship of: 

Science Foundation Ireland 

Cork Constraint Computation Centre 

University College Cork 




VIII Organization 



Additional Referees 

Pietro Abate 
Husam Abu-Haimed 
Andrew A. Adams 
Peter Andrews 
Jiirgen Avenhaus 
Jeremy Avigad 
Arnaud Bailly 
Sebastian Bala 
Gertrud Bauer 
Peter Baumgartner 
Bernhard Beckert 
Arnold Beckmann 
Ramon Bejar 
Sergey Berezin 
Thierry Boy de la Tour 
Chad Brown 
Bruno Buclrberger 
Claudio Castellini 
Serenella Cerrito 
Iliano Cervesato 
Witold Clraratonik 
Szu-Pei Chen 
Alessandro Cimatti 
Luca Compagna 
Evelyne Contejean 
Karl Crary 
Steplrane Demri 
Michael Dierkes 
Jurgen Dix 
Roy Dycklroff 
Germain Faure 
Christian Fermiiller 
Murdoch Gabbay 
Olivier Gasquet 
Thomas Genet 
Rosella Gennari 
Silvio Ghilardi 
Giuseppe de Giacomo 
Laura Giordano 



Jean Goubault-Larrecq 
Elsa L. Gunter 
Volker Haarslev 
Ziyad Hanna 
John Harrison 
Miki Hermann 
Thomas Hillenbrand 
Nao Hirokawa 
Joe Hurd 
Ullrich Hustadt 
Predrag Janicic 
Tudor Jebelean 
Tommi Juntilla 
Lukasz Kaiser 
Jaap Kamps 
Emanuel Kieronski 
Michael Kohlhase 
Tomasz Kowalski 
Temur Kutsia 
Francis Kwong 
Lei Li 

Denis Lugiez 
Carsten Lutz 
Jacopo Mantovani 
Felip Manya 
Joao Marcos 
Mircea Marin 
William McCune 
Andreas Meier 
Gopalan Nadatlrur 
Robert Nieuwenhuis 
Hans de Nivelle 
Greg O’Keefe 
Michio Oyamaguchi 
Jeff Pan 

Fabrice Parennes 
Lawrence Paulson 
Nicolas Peltier 
Martin Pollet 



Frangois Puitg 
Stefan Ratschan 
Antoine Reilles 
Alexandre Riazanov 
Clrristoplre Ringeissen 
Riccardo Rosati 
Markus Rosenkranz 
Pawel R.ychlikowski 
Mooly Sagiv 
Sriram Sankaranayanan 
Ulrike Sattler 
Francesco Savelli 
Steffen Schlager 
Manfred 
Schmidt-Sclrauss 
Christian Schulte 
Klaus U. Schulz 
Johann Schumann 
Maria Sorea 
Gernot Stenz 
Jurgen Stuber 
Lidia Tendera 
Sergio Tessaris 
Tinko Tinchev 
Cesare Tinelli 
Stefano Tonetta 
Tomasz Truderung 
Xavier Urbain 
Sandor Vagvolgyi 
Miroslav Velev 
Laurent Vigneron 
Lida Wang 
Freek Wiedijk 
Claus-Peter Wirth 
Richard Zach 
Hantao Zhang 
Yunshan Zlru 




Preface 



This volume constitutes the proceedings of the 2nd International Joint Con- 
ference on Automated Reasoning (IJCAR 2004) held July 4-8, 2004 in Cork, 
Ireland. IJCAR 2004 continued the tradition established at the first IJCAR in 
Siena, Italy in 2001, which brought together different research communities work- 
ing in automated reasoning. The current IJCAR is the fusion of the following 
conferences: 

CADE: The International Conference on Automated Deduction, 
CALCULEMUS: Symposium on the Integration of Symbolic Computation 
and Mechanized Reasoning, 

Fro CoS: Workshop on Frontiers of Combining Systems, 

FTP: The International Workshop on First-Order Theorem Proving, and 
TABLEAUX: The International Conference on Automated Reasoning with 
Analytic Tableaux and Related Methods. 

There were 74 research papers submitted to IJCAR as well as 12 system 
descriptions. After extensive reviewing, 26 research papers and 6 system de- 
scriptions were accepted for presentation at the conference and publication in 
this volume. In addition, this volume also contains papers from the three invited 
speakers and a description of the CADE ATP system competition. 

We would like to acknowledge the enormous amount of work put in by the 
members of the program committee, the various organizing and steering com- 
mittees, the IJCAR officials, the invited speakers, and the additional referees 
named on the following pages. We would also like to thank Achim Brucker and 
Barbara Geiser for their help in producing this volume. 



May 2004 



David Basin, Michael Rusinowitch 




VI Organization 



Conference Chair and Local Organization 

Toby Walsh (UCC, Ireland) 

Barry O’Sullivan (UCC, Ireland) 



Program Committee Chairs 

David Basin (ETH Ziirich, Switzerland) 

Michael Rusinowitch (LORIA and INRIA Lorraine, France) 



Program Committee 

Alessandro Armando 
Franz Baader 
Christoph Benzmiiller 
Armin Biere 
Maria Paola Bonacina 
Ricardo Caferra 
Marta Cialdea Mayer 
Nachum Derslrowitz 
David Dill 
Amy Felty 
Rajeev Gore 
Bernhard Gramlich 
Philippe de Groote 
Reiner Halrnle 
Andreas Herzig 
Ian Horrocks 
Jieh Hsiang 
Deepak Kapur 
Claude Kirclmer 
Reinlrold Letz 
Chris Lynch 
Aart Middeldorp 
Hans Jurgen Ohlbaclr 
Paliatlr Narendran 
Tobias Nipkow 
Leszek Pacholski 
Frank Pfenning 
David Plaistecl 
Roberto Sebastiani 



University of Genoa, Italy 
TU Dresden, Germany 
Saarland University, Germany 
ETH Zurich, Switzerland 
Universita clegli Studi di Verona, Italy 
LEIBNIZ-IM AG , France 
University of Rome, Italy 
Tel Aviv University, Israel 
Stanford University, USA 
University of Ottawa, Canada 
ANU Canberra, Australia 
TU Wien, Austria 
INRIA, France 
Chalmers University, Sweden 
IRIT, France 

University of Manchester, UK 
National Taiwan University, Taiwan 
University of New Mexico, USA 
LORIA and INRIA Lorraine, France 
TU Munchen, Germany 
Clarkson University, USA 
University of Innsbruck, Austria 
LMU Munchen, Germany 
SUNY Albany, USA 
TU Munchen, Germany 
Wroclaw University, Poland 
Carnegie Mellon University, USA 
University of North Carolina, USA 
University of Trento, Italy 




Organization 



VII 



John Slaney 

Viorica Sofronie-Stokkermans 
Ashish Tiwari 
Ralf Treinen 
Andrei Voronkov 
Wolfgang Windsteiger 

Invited Speakers 



ANU Canberra, Australia 
Max-Planck-Institut, Germany 
SRI International, USA 
ENS Cachan, France 
University of Manchester, UK 
RISC Linz, Austria 



Georg Gottlob (TU Wien, Austria) 

Jose Meseguer (University of Illinois at Urbana-Champaign, USA) 
Volker Weispfenning (University of Passau, Germany) 



IJCAR Officials 

Conference Chair: Toby Walsh (UCC, Ireland) 

Program Committee Chairs: 

David Basin (ETH Zurich, Switzerland) 

Michael Rusinowitch (LORIA and INRIA Lorraine, France) 

Workshop Chair: Peter Baumgartner (Max-Planck-Institut, Germany) 
Tutorial Chair: William Farmer (McMaster University, Canada) 

Publicity Chair: 

Maria Paola Bonacina (Universita degli Studi di Verona, Italy) 

IJCAR Steering Committee: 

Alessandro Armando (University of Genoa, Italy) 

David Basin (ETH Zurich, Switzerland) 

Christoph Benzmiiller (Saarland University, Germany) 

Maria Paola Bonacina, Coordinator (Universita degli Studi di Verona, Italy) 
Ulrich Furbaclr (University of Koblenz-Landau, Germany) 

Reiner Hahnle (Chalmers University, Sweden) 

Fabio Massacci (University of Trento, Italy) 

Michael Rusinowitch (LORIA and INRIA Lorraine, France) 

Toby Walsh (UCC, Ireland) 

Local Organization: Barry O’Sullivan (UCC, Ireland) 

Web page: Bralrim Hniclr (UCC, Ireland) 

Registration: Eleanor O’Hanlon (UCC, Ireland) 

IJCAR Sponsors 

IJCAR gratefully acknowledges the sponsorship of: 

Science Foundation Ireland 

Cork Constraint Computation Centre 

University College Cork 




VIII Organization 



Additional Referees 

Pietro Abate 
Husam Abu-Haimed 
Andrew A. Adams 
Peter Andrews 
Jiirgen Avenhaus 
Jeremy Avigad 
Arnaud Bailly 
Sebastian Bala 
Gertrud Bauer 
Peter Baumgartner 
Bernhard Beckert 
Arnold Beckmann 
Ramon Bejar 
Sergey Berezin 
Thierry Boy de la Tour 
Chad Brown 
Bruno Buclrberger 
Claudio Castellini 
Serenella Cerrito 
Iliano Cervesato 
Witold Clraratonik 
Szu-Pei Chen 
Alessandro Cimatti 
Luca Compagna 
Evelyne Contejean 
Karl Crary 
Steplrane Demri 
Michael Dierkes 
Jurgen Dix 
Roy Dycklroff 
Germain Faure 
Christian Fermiiller 
Murdoch Gabbay 
Olivier Gasquet 
Thomas Genet 
Rosella Gennari 
Silvio Ghilardi 
Giuseppe de Giacomo 
Laura Giordano 



Jean Goubault-Larrecq 
Elsa L. Gunter 
Volker Haarslev 
Ziyad Hanna 
John Harrison 
Miki Hermann 
Thomas Hillenbrand 
Nao Hirokawa 
Joe Hurd 
Ullrich Hustadt 
Predrag Janicic 
Tudor Jebelean 
Tommi Juntilla 
Lukasz Kaiser 
Jaap Kamps 
Emanuel Kieronski 
Michael Kohlhase 
Tomasz Kowalski 
Temur Kutsia 
Francis Kwong 
Lei Li 

Denis Lugiez 
Carsten Lutz 
Jacopo Mantovani 
Felip Manya 
Joao Marcos 
Mircea Marin 
William McCune 
Andreas Meier 
Gopalan Nadatlrur 
Robert Nieuwenhuis 
Hans de Nivelle 
Greg O’Keefe 
Michio Oyamaguchi 
Jeff Pan 

Fabrice Parennes 
Lawrence Paulson 
Nicolas Peltier 
Martin Pollet 



Frangois Puitg 
Stefan Ratschan 
Antoine Reilles 
Alexandre Riazanov 
Clrristoplre Ringeissen 
Riccardo Rosati 
Markus Rosenkranz 
Pawel R.ychlikowski 
Mooly Sagiv 
Sriram Sankaranayanan 
Ulrike Sattler 
Francesco Savelli 
Steffen Schlager 
Manfred 
Schmidt-Sclrauss 
Christian Schulte 
Klaus U. Schulz 
Johann Schumann 
Maria Sorea 
Gernot Stenz 
Jurgen Stuber 
Lidia Tendera 
Sergio Tessaris 
Tinko Tinchev 
Cesare Tinelli 
Stefano Tonetta 
Tomasz Truderung 
Xavier Urbain 
Sandor Vagvolgyi 
Miroslav Velev 
Laurent Vigneron 
Lida Wang 
Freek Wiedijk 
Claus-Peter Wirth 
Richard Zach 
Hantao Zhang 
Yunshan Zlru 




Table of Contents 



Rewriting 

Invited Talk: Rewriting Logic Semantics: 

From Language Specifications to Formal Analysis Tools 1 

Jose Meseguer, Grigore Ro§u 

A Redundancy Criterion Based on Ground Reducibility 

by Ordered Rewriting 45 

Bernd Lochner 

Efficient Checking of Term Ordering Constraints 60 

Alexandre Riazanov, Andrei Voronkov 

Improved Modular Termination Proofs Using Dependency Pairs 75 

Rene Thiemann, Jurgen Giesl, Peter Schneider-Kamp 

Deciding Fundamental Properties of Right- (Ground or Variable) 

Rewrite Systems by Rewrite Closure 91 

Guillem Godoy, Ashish Tiuiari 

Saturation-Based Theorem Proving 

Redundancy Notions for Paramoclulation 

with Non-monotonic Orderings 107 

Miquel Bofill, Albert. Rubio 

A Resolution Decision Procedure for the Guarded Fragment 

with Transitive Guards 122 

Yevgeny Kazakov, Hans de Nivelle 

Attacking a Protocol for Group Key Agreement 

by Refuting Incorrect Inductive Conjectures 137 

Graham Steel, Alan Bundy, Monika Maidl 

Combination Techniques 

Decision Procedures for Recursive Data Structures 

with Integer Constraints 152 

Ting Zhang, Henny B. Sipma, Zohar Manna 

Modular Proof Systems for Partial Functions with Weak Equality 168 

Harald Ganzinger, Viorica Sofronie-Stokkermans, Uwe Waldmann 




X 



Table of Contents 



A New Combination Procedure for the Word Problem That 

Generalizes Fusion Decidability Results in Modal Logics 183 

Franz Baader, Silvio Ghilardi, Cesare Tinelli 

Verification and Systems 

Using Automated Theorem Provers to Certify Auto-Generated 

Aerospace Software 198 

Ewen Denney , Bernd Fischer, Johann Schumann 

ARGO-lib: A Generic Platform for Decision Procedures 213 

Filip Marie, Predrag Janicic 

The ICS Decision Procedures for Embedded Deduction 218 

Leonardo de Moura, Sam Owre, Harald Ruefi, John Rushby, 

Natarajan Shankar 

System Description: E 0.81 223 

Stephan Schulz 

Reasoning with Finite Structure 

Invited Talk: Second-Order Logic over Finite Structures - 

Report on a Research Programme 229 

Georg Gottlob 

Efficient Algorithms for Constraint Description Problems 

over Finite Totally Ordered Domains 244 

Angel J. Gil, Miki Hermann, Gemot Salzer, Bruno Zanuttini 

Tableaux and Non-classical Logics 

PDL with Negation of Atomic Programs 259 

Carsten Lutz, Dirk Walther 

Counter-Model Search in Godel-Dummett Logics 274 

Dominique Larchey- Wendling 

Generalised Handling of Variables in Disconnection Tableaux 289 

Reinhold Letz, Gemot Stenz 

Applications and Systems 

Chain Resolution for the Semantic Web 307 

Tanel Tammet 

Sonic — Non-standard Inferences Go OilEd 321 

Anni-Yasmin Turhan, Christian Kissig 




Table of Contents 



XI 



TeMP: A Temporal Monodic Prover 326 

Ullrich Hustadt, Boris Konev, Alexandre Riazanov, 

Andrei Voronkov 

Dr. Doodle: A Diagrammatic Theorem Prover 331 

Daniel Winterstein, Alan Bundy, Corin Gurr 

Computer Mathematics 

Invited Talk: Solving Constraints by Elimination Methods 336 

Volker Weispfenning 

Analyzing Selected Quantified Integer Programs 342 

K. Subramani 

Interactive Theorem Proving 

Formalizing O Notation in Isabelle/HOL 357 

Jeremy Avigad, Kevin Donnelly 

Experiments on Supporting Interactive Proof Using Resolution 372 

Jia Meng, Lawrence C. Paulson 

A Machine-Checked Formalization of the Generic Model 

and the Random Oracle Model 385 

Gilles Barthe, Jan Cederquist, Sabrina Tarento 

Combinatorial Reasoning 

Automatic Generation of Classification Theorems 

for Finite Algebras 400 

Simon Colton, Andreas Meier, Volker Sorge, Roy McCasland 

Efficient Algorithms for Computing Modulo Permutation Theories 415 

Jurgen Avenhaus 

Overlapping Leaf Permutative Equations 430 

Thierry Boy de la Tour, Mnacho Echenim 

Higher-Order Reasoning 

TaMeD: A Tableau Method for Deduction Modulo 445 

Richard Bonichon 

Lambda Logic 460 

Michael Beeson 

Formalizing Undefinedness Arising in Calculus 475 

William M. Farmer 




XII 



Table of Contents 



Competition 

The CADE ATP System Competition 490 

Geoff Sutcliffe, Christian Suttner 

Author Index 493 




Rewriting Logic Semantics: From Language 
Specifications to Formal Analysis Tools 



Jose Meseguer and Grigore Ro§u 
University of Illinois at Urbana-Champaign, USA 



Abstract. Formal semantic definitions of concurrent languages, when 
specified in a well-suited semantic framework and supported by generic 
and efficient formal tools, can be the basis of powerful software analy- 
sis tools. Such tools can be obtained for free from the semantic defini- 
tions; in our experience in just the few weeks required to define a lan- 
guage’s semantics even for large languages like Java. By combining, yet 
distinguishing, both equations and rules, rewriting logic semantic defini- 
tions unify both the semantic equations of equational semantics (in their 
higher-order denotational version or their first-order algebraic counter- 
part) and the semantic rules of SOS. Several limitations of both SOS 
and equational semantics are thus overcome within this unified frame- 
work. By using a high-performance implementation of rewriting logic 
such as Maude, a language’s formal specification can be automatically 
transformed into an efficient interpreter. Furthermore, by using Maude’s 
breadth first search command, we also obtain for free a semi-decision 
procedure for finding failures of safety properties; and by using Maude’s 
LTL model checker, we obtain, also for free, a decision procedure for LTL 
properties of finite-state programs. These possibilities, and the compet- 
itive performance of the analysis tools thus obtained, are illustrated by 
means of a concurrent Caml-like language; similar experience with Java 
(source and JVM) programs is also summarized. 



1 Introduction 

Without a precise mathematical semantics compiler writers will often produce 
incompatible language implementations; and it will be meaningless to even at- 
tempt to formally verify a program. Formal semantics is not only a necessary 
prerequisite to any meaningful talk of software correctness, but, as we try to show 
in this paper, it can be a key technology to develop powerful software analysis 
tools. However, for this to happen in practice we need to have: 

— a well-suited semantic framework, and 

— a high performance implementation of such a framework. 

We argue that rewriting logic is indeed a well-suited and flexible framework 
to give formal semantics to programming languages, including concurrent ones. 
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In fact we show that it unifies two well-known frameworks, namely equational 
semantics and structural operational semantics, combining the advantages of 
both and overcoming several of their respective limitations. 

High performance is crucial to scale up both the execution and the formal 
analysis. In this regard, the existence of the Maude 2.0 system [19] implementing 
rewriting logic and supporting efficient execution as well as breadtlr-first search 
and LTL model checking, allows us to automatically turn a language’s rewriting 
logic semantic definition into a quite sophisticated software analysis tool for that 
language for free. In particular, we can efficiently interpret programs in that 
language, and we can formally analyze programs, including concurrent ones, to 
find safety violations and to verify temporal logic properties by model checking. 

The fact that rewriting logic specifications provide in practice an easy way 
to develop executable formal definitions of languages, which can then be sub- 
jected to different tool-supported formal analyses, is by now well established [83, 
8,84,78,74,45,80,16,65,81,27,26,38]. However, ascertaining that this approach can 
scale up to large conventional languages such as Java and the JVM [27,26], and 
that the generic formal analysis methods associated to semantic definitions can 
compete in performance with special-purpose analysis tools developed for indi- 
vidual languages, is a more recent development that we have been investigating 
with our students and for which we give evidence in this paper. 



1.1 Semantics: Equational Versus SOS 

Two well-known semantic frameworks for programming languages are: equa- 
tional semantics and structural operational semantics (SOS). 

In equational semantics, formal definitions take the form of semantic equa- 
tions, typically satisfying the Church- Rosser property. Both higher-order (de- 
notational semantics) and first-order (algebraic semantics) versions have been 
shown to be useful formalisms. There is a vast literature in these two areas that 
we do not attempt to survey. However, we can mention some early denotational 
semantics papers such as [75,67] and the survey [56]. Similarly, we can mention 
[89,31,12] for early algebraic semantics papers, and [30] for a recent textbook. 

We use the more neutral term equational semantics to emphasize the fact 
that denotational and algebraic semantics have many common features and can 
both be viewed as instances of a common equational framework. In fact, there 
isn’t a rigid boundary between both approaches, as illustrated, for example, by 
the conversion of higher-order semantic equations into first-order ones by means 
of explicit substitution calculi or combinators, the common use of initiality in 
both initial algebras and in solutions of domain equations, and a continuous 
version of algebraic semantics based on continuous algebras. 

Strong points of equational semantics include: 

— it has a model-theoretic, denotational semantics given by domains in the 

higher-order case, and by initial algebras in the first-order case; 
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— it has also a proof-theoretic, operational semantics given by equational re- 
duction with the semantic equations; 

— semantic definitions can be easily turned into efficient interpreters, thanks to 
efficient higher-order functional languages (ML, Haskell, etc.) and first-order 
equational languages (ACL2, OBJ, ASF+SDF, etc.); 

— there is good higher-order and first-order theorem proving support. 

However, equational semantics has the following drawbacks: 

— it is well suited for deterministic languages such as conventional sequential 
languages or purely functional languages, but is quite poorly suited to define 
the semantics of concurrent languages, unless the concurrency is that of a 
purely deterministic computation; 

— one can indirectly model 1 some concurrency aspects with devices such as a 
scheduler, or lazy data structures, but a direct comprehensive modeling of 
all concurrency aspects remains elusive within an equational framework; 

— semantic equations are typically unmodular, i.e. , adding new features to a 
language often requires extensive redefinition of earlier semantic equations. 

In SOS formal definitions take the form of semantic rules. SOS is a proof- 
theoretic approach, focusing on giving a detailed step-by-step formal description 
of a program’s execution. The semantic rules are used as inference rules to rea- 
son about what computation steps are possible. Typically, the rules follow the 
syntactic structure of programs, defining the semantics of a language construct 
in terms of that of its componenta. The “locus classicus” is Plotkin’s Aarhus 
lectures [62] ; there is again a vast literature on the topic that we do not attempt 
to survey; for a good textbook introduction see [35] . 

Strong points of SOS include: 

— it is an abstract and general formalism, yet quite intuitive, allowing detailed 
step-by-step modeling of program execution; 

— has a simple proof-theoretic semantics using semantic rules as inference rules; 

— is fairly well suited to model concurrent languages, and can also deal well 
with the detailed execution of deterministic languages; 

— allows mathematical reasoning and proof, by reasoning inductively or coin- 
cluctively about the inference steps. 

However, SOS has the following drawbacks: 

— although specific proposals have been made for categorical models for certain 
SOS formats, such as, for example, Turi’s functorial SOS [79] and Gadducci 
and Montanari’s tile models [29], it seems however fair to say that, so far, 
SOS has not commonly agreed upon model-theoretic semantics. 

1 Two good examples of indirectly modeling concurrency within a purely functional 
framework are the ACL2 semantics of the JVM using a scheduler [53], and the use 
of lazy data structures in Haskell to analyze cryptographic protocols [3] . 
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— in its standard formulation it imposes a centralized interleaving semantics 
of concurrent computations, which may be unnatural in some cases, for ex- 
ample for highly decentralized and asynchronous mobile computations; this 
problem is avoided in “reduction semantics,” which is different from SOS 
and is in fact a special case of rewriting semantics (see Section 5.2). 

— although some tools have been built to execute SOS definitions (see for 
example [21]) tool support is considerably less developed than for equational 
semantics. 

— standard SOS definitions are notoriously unmodular, unless one adopts 
Mosses’ MSOS framework (see Section 5.3). 



1.2 Rewriting Logic Unifies SOS and Equational Semantics 

For the most part, equational semantics and SOS have lived separate lives. Prag- 
matic considerations and differences in taste tend to dictate which framework 
is adopted in each particular case. For concurrent languages SOS seems clearly 
superior and tends to prevail as the formalism of choice, but for deterministic 
languages equational approaches are also widely used. Of course there are also 
practical considerations of tool support for both execution and formal reasoning. 

This paper addresses three fundamental questions: 



1. can the semantic frameworks of SOS and equational semantics be unified in 
a mathematically rigorous way? 

2. can the advantages of each formalisms be preserved and can their respective 
drawbacks be overcome in a suitable unification? 

3. is it possible to efficiently execute and analyze programs using semantic 
language definitions in such a unified framework with suitable formal tools? 



We answer each of the above questions in the affirmative by proposing rewrit- 
ing logic [41,14] as such a unifying semantic framework. Roughly speaking, 2 a 
rewrite theory is a triple with (E,E) an equational theory with sig- 

nature of operations and sorts E and set of (possibly conditional) equations E, 
and with R a set of (possibly conditional) rewrite rules. Therefore, rewriting 
logic introduces a key distinction between semantic equations E, and semantic 
rules R. Computationally, this is a distinction between deterministic computa- 
tions, and concurrent and possibly nondeterministic ones. That is, if (E, E, R) 
axiomatizes the semantics of a programming language C, then the deterministic 
computations in C will be axiomatizecl by the semantic equations E, whereas 
the concurrent computations will be axiomatized by the rewrite rules R. The 
semantic unification of SOS and equational semantics is then achieved very nat- 
urally, since, roughly speaking, we can obtain SOS and equational semantics as, 

2 We postpone the issue of “frozen” arguments, which is treated in Section 2.2. 
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respectively, the special cases in which E = 0 and we have only semantic rules 3 , 
and R = 0 and we have only semantic equations, respectively. 

This unification makes possible something not available in either formalism, 
namely mixing semantic equations and semantic rules, using each kind of axiom 
for the purposes for which it is best suited: equations for deterministic computa- 
tions, and rules for concurrent ones. This distinction between equations and rules 
is of more than academic interest. The point is that, since rewriting with rules 
R takes place modulo the equations E [41], many states are abstracted together 
by the equations E , and only the rules R contribute to the size of the system’s 
state space, which can be drastically smaller than if all axioms had been given 
as rules, a fact of crucial importance for formal analyses of concurrent programs 
based on search and model checking. 

This brings us to efficient tool support for both execution and formal anal- 
ysis. Rewriting logic has several high-performance implementations [6,28,19], of 
which the most comprehensive so far, in expressiveness and in range of fea- 
tures, is probably the Maude system [19]. Maude can both efficiently execute 
a rewriting logic axiomatization of a programming language C , thus providing 
an interpreter for C , and also perform breadth-first search to find safety viola- 
tions in a concurrent program, and model checking of linear time temporal logic 
(LTL) properties for such programs when the set of reachable states is finite. We 
illustrate these execution and analysis capabilities in Sections 3-4. 

The rest of the paper is organized as follows. Basic concepts on rewriting 
logic and membership equational logic are gathered in Section 2. We then illus- 
trate our language specification methodology by means of a nontrivial example 
- a substantial Caml-like language including functions, assignments, loops, ex- 
ceptions, and threads - and briefly discuss another case study on Java semantics 
in Section 3. The formal analysis of concurrent programs is illustrated for our 
example language in Section 4. We revisit SOS and equational semantics and 
discuss the advantages of their unification within rewriting logic in Section 5. 
The paper gives some concluding remarks in Section 6. 



2 Rewriting Logic Semantics 

We explain here the basic concepts of rewriting logic, and how it can be used 
to define the semantics of a programming language. Since each rewrite theory 
has an underlying equational theory, different variants of equational logic give 
rise to corresponding variants of rewriting logic. The more expressive the un- 
derlying equational sublanguage, the more expressive will the resulting rewrite 
theories be. For this reason, we include below a brief summary of membership 
equational logic (mel) [44], an expressive Horn logic with both equations t = t' 

3 The case of structural axioms is a separate issue that we postpone until Section 2; 
also rewrite rules and SOS rules, though closely related, do not correspond identically 
to each other, as explained in Section 5.2. 
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and membership predicates t : s which generalizes order-sorted equational logic 
and supports sorts, subsorts, partiality, and sorts defined by equational axioms. 
Maude 2.0 [19] supports all the logical features of MEL and its rewriting logic 
super-logic with a syntax almost identical to the mathematical notation. 



2.1 Membership Equational Logic 

A membership equational logic (mel) [44] signature is a triple ( AT , A, S ) (just 
X in the following), with I\ a set of kinds , X = {£ w ,k}(w,k)eK*xK a many- 
kinded signature and S = {.Sfcj-fceif a A'-kinded family of disjoint sets of sorts. 
The kind of a sort s is denoted by [s]. A MEL X-algebra A contains a set Ak 
for each kind k £ A', a function Af : A ^ x • • • x Aj- n — >■ Ak for each operator 
/ £ £k 1 ...k n ,k and a subset A s C Ak for each sort s £ Sk, with the mean- 
ing that the elements in sorts are well-defined, while elements without a sort 
are errors. We write T ' E ,k and T E (X)k to denote respectively the set of ground 
17-terms with kind k and of 17-terms with kind k over variables in X, where 
X = {xi : ,x n : k n } is a set of kinded variables. Given a MEL signa- 

ture X, atomic formulae have either the form t = t' (17-equation) or t : s 
(17-membership) with t,t' £ T E (X)k and s £ Sk ; and £ -sentences are condi- 
tional formulae of the form (VX) p if A* ft = Qi A A j w j '■ s j> where ip is 
either a X-equation or a 17-membership, and all the variables in p, p, , qi, and 
Wj are in X. A MEL theory is a pair (X, E) with X a MEL signature and E a set 
of X-sentences. We refer to [44] for the detailed presentation of (X, A)-algebras, 
sound and complete deduction rules, and initial and free algebras. In particular, 
given an MEL theory (X, A), its initial algebra is denoted T s / E ; its elements are 
X-equivalence classes of ground terms in T E . Order-sorted notation si < S 2 can 
be used to abbreviate the conditional membership (Vx : k) x : S 2 if x : si. 
Similarly, an operator declaration /: si x • • • x s n — > s corresponds to declar- 
ing / at the kind level and giving the membership axiom (Vxi : ki,...,x n : 
k n ) f(x i , ... ,x n ) : s if Ai<i <„ x i '■ s i- We write ( Va; i : si, . . . , x n : s n ) t = t' 
in place of (Vaq : k 1: ... ,x n : k n ) t = t' if /\ 1<i<n : Si. 



2.2 Rewrite Theories 

A rewriting logic specification or theory is a tuple 1Z = (X, E, (f> } A), with: 

— (X, E) a membership equational theory 

— (j> : £ — > IN a mapping assigning to each function symbol f £ £ (with, 
say, n arguments) a set 4>(f) = {A, . . . , ik}, 1 < i\ < . . . < ik < n of frozen 
argument positions under which it is forbidden to perform any rewrites; and 

— R a set of labeled conditional rewrite rules of the general form 

r : (VX) t — >t' if (/\ m = tt') A (/\ vj : Sj) A(/\w t — > w[) (b). 

i j l 
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where the variables appearing in all terms are among those in X, terms in each 
rewrite or equation have the same kind, and in each membership Vj : Sj the term 
Vj has kind [sj]. Intuitively, 1Z specifies a concurrent system , whose states are 
elements of the initial algebra Tg /& specified by (17, E ) , and whose concurrent 
transitions are specified by the rules R , subject to the frozenness imposed by (f>. 

We can illustrate both a simple rewrite theory and the usefulness of frozen 
arguments by means of the following Maude module for nondeterministic choice: 



mod CHOICE is protecting NAT . 

sorts Elt MSet . subsorts Elt < MSet . 
ops abcdefg : -> Elt . 

op : MSet MSet -> MSet [assoc comm] . 

op card : MSet -> Nat [frozen] . 
eq card(X:Elt) = 1 . 

eq card (X: Elt M:MSet) = 1 + card (M: MSet) . 
rl [choice] : X:MSet Y:MSet => YrMSet . 
endm 



In a Maude module, 4 introduced with the keyword mod followed by its name, 
and ended with the keyword endm, kinds are not declared explicitly; instead, 
each connected component of sorts in the subsort inclusion ordering implicitly 
determines a kind, which is viewed as the equivalence class of its corresponding 
sorts. Here, since the only two sorts declared, namely Elt and MSet, are related 
by a subsort inclusion 5 we have implicitly declared a new kind, which we can 
refer to by enclosing either of the sorts in square brackets, that is, by either 
[Elt] or [MSet] . There are however two more kinds, namely the kind [Nat] 
determined by the sort Nat of natural numbers and its subsorts in the imported 
NAT module, and the kind [Bool] associated to the Booleans, which by default 
are implicitly imported by any Maude module. 

The operators in S are declared with op (ops if several operators are declared 
simultaneously). Here we have just three such declarations: (i) the constants a 
through g of sort Elt, (ii) a multiset union operator declared with infix 6 empty 
syntax (juxtaposition), and (iii) a multiset cardinality function declared with 
prefix notation card. The set E contains those equations and memberships of 
the imported modules, the two equations defining the cardinality function, and 
the equations of associativity and commutativity for the multiset union operator, 
which are not spelled out as the other equations, but are instead specified with 
the assoc and comm keywords. Furthermore, as pointed out in Section 2.1, the 

4 A Maude module specifies a rewrite theory 1Z = (E, E , <j>, R)\ however, when R = 0, 
then 7Z becomes a membership equational theory. Maude has an equational sub- 
language in which a membership equational theory (E, E ) can be specified as a 
functional module with beginning and ending keywords fmod and endfm. 

5 A subsort inclusion is shorthand notation for a corresponding membership axiom. 

6 In general, prefix, infix, postfix, and general “mixfix” user-definable syntax is sup- 
ported. In all cases except for prefix operators, each argument position is declared 
with an underbar symbol; for example, the usual infix notation for addition would 
be declared _+_, but here, since we use juxtaposition, no symbol is given between the 
two underbars __ of the multiset union operator. 
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subsort inclusion declaration and the operator declarations at the level of sorts 
are in fact conditional membership axioms in disguise. The only rule in the set R 
is the [choice] rule, which arbitrarily chooses a nonempty sub-multiset of the 
given multiset. Maude then uses the assoc and comm declarations to apply the 
other equations and the [choice] rule in a built-in way modulo the associativity 
and commutativity of multiset union, that is, parentheses are not needed, and 
the order of the elements in the multiset is immaterial. It is then intuitively clear 
that if we begin with a multiset such as a a b b b c and repeatedly rewrite it 
in all possible ways using the [choice] rule, the terminating (deadlock) states 
will be the singleton multisets a, b, and c. 

The multiset union operator has no special declaration, meaning that none 
of its two arguments are frozen, but the cardinality function is declared with the 
frozen attribute, meaning that all its arguments (in this case the single argu- 
ment of sort MSet) are frozen, that is, cf>( card) = {1}. This declaration captures 
the intuition that it does not make much sense to rewrite below the cardinality 
function card, because then the multiset whose cardinality we wish to determine 
would become a moving target. If card had not been declared frozen, then the 
rewrites a b c — > b c — > c would induce rewrites 3 — > 2 — > 1, which seems 
bizarre. The point is that we think of the kind [MSet] as the state kind in this 
example, whereas [Nat] is the data kind. By declaring card’s single argument 
as frozen, we restrict rewrites to the state kind, where they belong. 



2.3 Rewriting Logic Deduction 



Given 1Z = (£, E,(f>, R), the sentences that it proves are universally quantified 
rewrites of the form, (VX) t — > t\ with t, t' £ Ts,E(X) k , for some kind k, which 
are obtained by finite application of the following rules of deduction : 



Reflexivity. For each t £ Tz(X ), 



Equality. 



(VX) t — ► t 

(MX) U — A v E b (VX)u = u! E b (VX)w = v' 
(MX) v! -> c' 



Congruence. For each / : k\ . . . 



k in X, with {!,... , ?x} — <f>(f) = 



{j !,••• ,jrn}, With ti £ T s (X) ki , 1 < i < n, and with t' h £ T s (X) h 



1 <l< 



(MX) tj 



t'n 



(MX) tj 



t( 



(MX) /(ti, - - - ,t n ) — t f(t i,... ,t n ) 

Replacement. For each 6 : X — > Ts(Y) with, say, X = {x \, . . . , x n }, and 
0(xi) = pi, 1 < l < n, and for each rule in R of the form, 

q : (MX) t — >t' if (f\ m = u'f) A (f\ Vj : sj) A (/\w k — f w' k ) 

i j k 

with Z = {xj 1 , . . . ,Xj m } the set of unfrozen variables in t and t' , then, 

(A ( vy )p> —^4) 
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(Ai(vn 0( Ui ) = 0«)) A (A j(VY) 0{v 3 ) : sj) A (A k (VY) 6{w k ) — ► 0«)) 

(vy) 6»(A — > 

where for x G X — Z, Q'(x) = 9{ x), and for x 3r G Z , 9'{xj r ) = p'j r , 1 < r < m. 

— Transitivity 

(VX) ti — t ^2 (VX) ^2 — * ^3 



(VX) ti — > 


• t?J 


We can visualize the above inference rules 


as follows: 


Reflexivity 




^ 




Equality ^ 




yZ U \y 


V 


II 


II 


/^\-y 





Congruence 
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Transitivity 




Intuitively, we should think of the above inference rules as different ways of 
constructing all the (Unitary) concurrent computations of the concurrent system 
specified by 1Z. The Reflexivity rule says that for any state t there is an idle 
transition in which nothing changes. The Equality rule specifies that the states 
are in fact equivalence classes modulo the equations E. The Congruence rule 
is a very general form of “sideways parallelism,” so that each operator f can be 
seen as a parallel state constructor, allowing its nonfrozen arguments to evolve in 
parallel. The Replacement rule supports a different form of parallelism, which 
could be called “parallelism under one’s feet,” since besides rewriting an instance 
of a rule’s lefthand side to the corresponding righthand side instance, the state 
fragments in the substitution of the rule’s variables can also be rewritten, pro- 
vided the variables involved are not frozen. Finally, the Transitivity rule allows 
us to build longer concurrent computations by composing them sequentially. 

For a rewrite theory to be executable, so that the above inference rules can 
be efficiently tool supported, some additional requirements should be met. First, 
E should decompose as a union E = Eg U A, with A a set of equational axioms 
such as associativity, commutativity, identity, for which an effective matching 
algorithm modulo A exists, and E 0 a set of (ground) confluent and terminating 7 
for each term t by applying the equations in Eq modulo A to t until termination. 
Second, the rules R should be coherent with E 0 modulo A [87]; intuitively, this 
means that, to get the effect of rewriting in equivalence classes modulo E, we 
can always first simplify a term with the equations to its canonical form, and 
then rewrite with a rule in R. Finally, the rules in R should be admissible [18], 
meaning that in a rule of the form (b), besides the variables appearing in t there 
can be extra variables in t' , provided that they also appear in the condition and 
that they can all be incrementally instantiated by either matching a pattern in 

' The termination condition may be dropped for programming language specifications 
in which some equationally defined language constructs may not terminate. Even the 
confluence modulo A may be relaxed, by restricting it to terms in some “observable 
kinds” of interest. The point is that there may be some “unobservable” kinds for 
which several different but semantically equivalent terms can be derived by equa- 
tional simplification: all we need in practice is that the operations are confluent for 
terms in an observable kind, such as that of values, so that a unique canonical form 
is then reached for them if it exists. 
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a “matching equation” or performing breadth first search in a rewrite condition 
(see [18] for a detailed description of admissible equations and rules). 



2.4 Rewriting Logic’s Model Theory and Temporal Logic 



Given a rewrite theory 1Z = (£, E,(/>, R), its 1Z- reachability relation —tn 
(also called 7 Z- rewriting relation, or IZ-provability relation ) is defined proof- 
theoretically, for each kind k in £ and each [t], [t 1 ] £ T E / E ,k> by the equivalence, 

[t] — \t'\ 1Z b (V0) t > t' , 

which by the Equality rule is independent of the choice of t,t'. Model- 
theoretically, IZ-reachability can be defined as the family of relations, indexed 
by the kinds k in £, interpreting the sorts Arrowk in the initial model of a 
membership equational theory Reach(TZ ) axiomatizing the reachability models 
of the rewrite theory 1Z [14]. The initial reachability model is then the initial 
algebra T Reach ^ K y In particular, the one-step IZ-rewrite relations for each kind k 
are the extensions in Tj i eac h(TZ) of subsorts Arrow l < Arrowy ■ We denote such a 
relation on E-equivalence classes of terms with the notation [t] ~^n,k [t'}. Thus, 
a rewrite theory 1Z specifies for each kind k a transition system characterized by 
— k , which can be made total by adding idle transitions for deadlock states, 
denoted V This is almost a Kripke structure: we still need to specify 

the state predicates in a set of predicates 77. This can be done equationally, by 
choosing a kind k as the kind of states, and giving equations defining when each 
predicate p £ 77 holds for a state [t] of sort k, thus getting a labeling function 
7 / 7 . 

This way, we can associate to a rewrite theory 1Z = (£, E, <f>, R) with 
a designated kind k of states and state predicates 77, the Kripke structure 
(Ts/E,k, (— ^ k)*’Ln)- We can then define the semantics of any temporal logic 
formula over predicates 77 in the usual way [17], for any desired temporal logic 
such as LTL, CTL*, the modal /./-calculus, and so on (see [45]). Furthermore, if 
the states reachable from an initial state form a finite set, then we can model 
check such formulas. Maude provides an explicit state LTL model checking for 
executable rewrite theories with a performance comparable to that of SPIN [24]. 

Reachability models for a rewrite theory 1Z are a special case of more general 
true concurrency models, in which different concurrent computations from one 
state to another correspond to equivalence classes of proofs in rewriting logic. 
That is, concurrent computations are placed in bijective correspondence with 
proofs in a Curry-Howard like equivalence. The paper [14] shows that initial 
models exist for both reachability models and true concurrency models of a 
rewrite theory 1Z, and that both kinds of models make the rules of inference 
of rewriting logic sound and complete. We denote by T Reach ( R y resp. Tn, the 
initial reachability, resp. true-concurrency, model of a rewrite theory 1Z. 
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2.5 Specifying Concurrency Models and Programming Languages 



Because rewriting logic is neutral about concurrency constructs, it is a general 
semantic framework for concurrency that can express many concurrency models 
such as: equational programming, which is the special case of rewrite theories 
whose set of rules is empty and whose equations are Clrurch-Rosser, possibly 
modulo some axioms A; lambda calculi and combinatory reduction systems [41, 
39,72,69]; labeled transition systems [41]; grammars and string-rewriting systems 
[41]; Petri nets, including place/transition nets, contextual nets, algebraic nets, 
colored nets, and timed Petri nets [41,43,70,73,60,68]; Gamma and the Chem- 
ical Abstract Machine [41]; CCS and LOTOS [48,40,15,22,83,82,84,80]; the ir 
calculus [85,69,78]; concurrent objects and actors [41,42,76,77]; the UNITY lan- 
guage [41]; concurrent graph rewriting [43]; dataflow [43]; neural networks [43]; 
real-time systems, including timed automata, timed transition systems, hybrid 
automata, and timed Petri nets [60,59]; and the tile logic [29] model of synchro- 
nized concurrent computation [49,13]. 

Since the above are typically executable, rewriting logic is a flexible oper- 
ational semantic framework to specify such models. What is not immediately 
apparent is that it is also a flexible mathematical semantic framework for concur- 
rency models. Well-known models of concurrency are isomorphic to the initial 
model 7 ~n of the rewrite theory 1Z axiomatizing that particular model, or at 
least closely related to such an initial model: [39] shows that for rewrite theories 
1Z = (£, 0, <f>, R) with the rules R left-linear, T-r. is isomorphic to a model based 
on residuals and permutation equivalence proposed by Boudol [7] , and also that 
for 7 Z a rewrite theory of an orthogonal combinatory reduction system, including 
the A-calculus, a quotient of 7 n is isomorphic to a well-known model of parallel 
reductions; [73] shows that for 1Z a rewrite theory of a place/transition net, 7 ~u 
is isomorphic to the Best-Devillers net process model [5] and then generalizes 
this isomorphism to one between T-r. and a Best-Devillers-like model for the 
rewrite theory of an algebraic net; [15,22] show that for 1Z axiomatizing CCS, 
a truly concurrent semantics causal model based on proved transition systems 
is isomorphic to a quotient of 7 [50] shows that for 1Z axiomatizing a concur- 
rent object-oriented system satisfying reasonable requirements, a subcategory 
of l~n is isomorphic to a partial order of events model which, for asynchronous 
object systems corresponding to actors, coincides with the Unitary part of the 
Baker-Hewitt partial order of events model [2] . 

All the above remarks apply also to the specification of programming lan- 
guages, which often implement specific concurrency models. In particular, both 
an operational semantics and a denotational semantics are provided for a lan- 
guage when it is specified as a rewrite theory. How is this generally done? We 
can define the semantics of a concurrent programming language, say C , by spec- 
ifying a rewrite theory, say 7 Zc = (A7c, Ec, <t>c, Re), where £c is E’s syntax and 
the auxiliary operators (store, environment, etc.), Ec specifies the semantics 
of all the deterministic features of C and of the auxiliary semantic operations, 
the frozenness information (fc specifies what arguments can be rewritten with 
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rules for each operator, and the rewrite rules Rc specify the semantics of all the 
concurrent features of C. Section 3 does exactly this. 



3 Specifying Deterministic and Concurrent Features 

In this section we illustrate the rewriting logic semantics techniques advocated in 
this paper on a nontrivial Caml-like programming language. We show how sev- 
eral important programming language features, such as arithmetic and boolean 
expressions, conditional statements, high-order functions, lists, let bindings, re- 
cursion with let rec, side effects via variable assignments, blocks and loops, 
exceptions, and concurrency via threads and synchronization, can be succinctly, 
modularly and efficiently defined in rewriting logic. What we present in this 
section should be regarded as one possible way to define this language, a way 
which is by no means unique or optimal. The various features are shown in the 
following diagram: 




I NT is a Maude builtin module defining arbitrary precision integers; ID defines 
identifiers as well as comma-separated lists of identifiers; GENERIC-EXP defines a 
special sort for expressions as well as comma-separated lists of such expressions; 
ARITHMETIC-EXP adds arithmetic operators, such as addition, multiplication, 
etc., and BOOLEAN-EXP adds boolean expressions; the latter are further used to 
define conditionals, loops and lists (lists contain an empty list check); BINDINGS 
defines bindings as special lists of pairs “identifier = expression” , which are fur- 
ther needed to define both LET and LETREC; ASSIGNMENT defines variable assign- 
ments; BLOCK defines blocks enclosed with curly brackets “{” and “}” containing 
sequences of expressions separated by semicolon (blocks are used for their 
side effects); FUNCTION defines high order functions, in a Caml style; EXCEPTION 
defines exceptions using try . . . catch . . . and throw . . . keywords, where 
the “catch” part is supposed to evaluate to a function of one argument, to which 
a value can be “thrown” from the “try” part; THREAD defines new threads which 
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can be created and destroyed dynamically; finally, LANGUAGE creates the desired 
programming language by putting all the features together. Each of the above 
has a syntactic and a semantic part, each specified as a Maude module. The 
entire Maude specification has less than 400 lines of code. 



3.1 Defining the Syntax and Desugaring 

Here we show how to define the syntax of a programming language in Maude, to- 
gether with several simple desugaring translations that will later simplify the se- 
mantic definitions, such as translations of “for” loops into “while” loops. We first 
define identifiers, which add to Maude’s builtin quoted identifiers (QID) several 
common (unquoted) one-character identifiers, together with comma-separated 
lists of identifiers that will be needed later: 



fmod ID is protecting QID . 

sorts Id IdList . subsorts Qid < Id < IdList . 

ops abcdefghijklmnopqrstuvxyzw : ->Id . 
op nil : -> IdList . 

op : IdList IdList -> IdList [assoc id: nil prec 1] . 

endfm 



The attribute “prec 1” assigns a precedence to the comma operator, to 
avoid using unnecessary parentheses: the lower the precedence of an operator the 
tighter the binding. We next define generic expressions, including for now integers 
and white-space-separated sequences of “names”, where a name is either an 
identifier or the special symbol “()”. Sequences of names and comma-separated 
lists of expressions will be needed later to define lists and bindings and function 
declarations, respectively. The attribute “gather (E e)” states that the name 
sequencing operator is left associative and the “ditto” attribute states that the 
current operation inherits all the attributes of an operation with the same name 
and kind arrity previously defined (in our case the comma operator in ID): 



fmod GENERIC-EXP-SYNTAX is protecting ID . protecting INT . 
sorts Unit Name NameSeq Exp ExpList . 
subsorts Unit Id < Name < NameSeq < Exp < ExpList . 
subsort Int < Exp . subsort IdList < ExpList . 
op ‘ ( ‘ ) : -> Unit . 

op : NameSeq NameSeq -> NameSeq [gather (E e) prec 1] . 

op : ExpList ExpList -> ExpList [ditto] . 

endfm 



The rest of the syntax adds new expressions to the language modularly. The 
next four modules add arithmetic, boolean, conditional and list expressions. Note 
that in the LIST module, the list constructor takes a comma-separated list of 
expressions and returns an expression: 



fmod ARITHMETIC-EXP-SYNTAX is extending GENERIC-EXP-SYNTAX . 
ops _+_ : Exp Exp -> Exp [ditto] . 

ops _/_ : Exp Exp -> Exp [prec 31] . 

endfm 
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fmod BOOLEAN-EXP-SYNTAX is extending GENERIC-EXP-SYNTAX . 
ops _==_ _<=_ _>=_ _<_ _>_ _and_ _or_ : Exp Exp -> Exp . 
op not_ : Exp -> Exp . 
endfm 

fmod IF-SYNTAX is extending GENERIC-EXP-SYNTAX . 

op if _then_else_ : Exp Exp Exp -> Exp . 
endfm 

fmod LIST-SYNTAX is extending GENERIC-EXP-SYNTAX . 
op list : ExpList -> Exp . 
ops car cdr null? : Exp -> Exp . 
op cons : Exp Exp -> Exp . 
endfm 



We next define functions. Like in Caml, we want to define functions using a 
syntax like “fun x y z -> x + y * z”. However, “fun x y z -> ...” is syn- 
tactic sugar for “fun x -> fun y -> fun z -> ...”, so to keep the semantics 
simple later we prefer to consider this uncurrying transformation as part of the 
syntax. Function application simply extends the name sequencing operator: 



fmod FUNCTION-SYNTAX is extending GENERIC-EXP-SYNTAX . 
op fun_->_ : NameSeq Exp -> Exp . 
op : Exp Exp -> Exp [ditto] . 

var Zs : NameSeq . var Z : Name . var E : Exp . 
eq fun Zs Z -> E = fun Zs -> fun Z -> E . 
endfm 



Bindings of names to values are crucial in any functional programming lan- 
guage. Like in Caml, in our language bindings are “and” -separated pairs of equal- 
ities. However, note that “f x y z = ...” is just syntactic sugar for “f = fun 
x y z -> . . . ” . Since the semantics of bindings will involve allocation of new 
memory locations for the bound identifiers, it will be very helpful to know up- 
front the number and the list of identifiers. Two equations take care of this: 



fmod BINDING-SYNTAX is extending FUNCTION-SYNTAX . 

sorts Binding Bindings . subsort Binding < Bindings . 
op _and_ : Bindings Bindings -> Bindings [assoc prec 100] . 
op : Nat IdList ExpList -> Bindings . 

op _=_ : NameSeq Exp -> Binding . 

var Zs : NameSeq . var Z : Name . var X : Id . var E : Exp . 
vars N N’ : Nat . vars XI XI’ : IdList . vars El El’ : ExpList . 
eq (Zs Z = E) = (Zs = fun Z -> E) . 
eq (X = E) = (1, X, E) . 

eq (N, XI, El) and (N’ , XI’, El’) = (N + N’ , (XI, XI’), (El, El’)) . 
endfm 

We can now define the two major binding language constructors, namely “let” 
and “let rec”, the later typically being used to define recursive functions: 

fmod LET-SYNTAX is extending BINDING-SYNTAX . 

op let_in_ : Bindings Exp -> Exp . 
endfm 

fmod LETREC-SYNTAX is extending BINDING-SYNTAX . 

op let rec_in_ : Bindings Exp -> Exp . 
endfm 
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We next add several imperative features, such as variable assignment, blocks 
and loops. The variable assignment assumes the identifier already allocated at 
some location, and just changes the value stored at that location. Both “for” 
and “while” loops are allowed, but the former ones are immediately desugared: 

fmod ASSIGNMENT-SYNTAX is extending GENERIC-EXP-SYNTAX . 

op : Name Exp -> Exp . 

endfm 

fmod BLOCK-SYNTAX is extending GENERIC-EXP-SYNTAX . 
sort ExpBlock . subsort Exp < ExpBlock . 
op : ExpBlock ExpBlock -> ExpBlock [assoc prec 100] . 

op {_} : ExpBlock -> Exp . 
endfm 

fmod LOOP-SYNTAX is extending BLOCK-SYNTAX . 

op while : Exp Exp -> Exp . 

op for : Exp Exp Exp Exp -> Exp . 
vars Start Cond Step Body : Exp . 

eq for (Start ; Cond ; Step) Body = {Start ; while Cond {Body ; Step}} . 
endfm 



We next add syntax for two important features, exceptions and threads: 



fmod EXCEPTION-SYNTAX is extending GENERIC-EXP-SYNTAX . 
op try_catch_ : Exp Exp -> Exp . 
op throw_ : Exp -> Exp . 
endfm 

fmod THREAD-SYNTAX is extending GENERIC-EXP-SYNTAX . 

ops spawn_ lock acquire, release. : Exp -> Exp . 
endfm 



We can now put all the syntax together, noticing that the syntax modules of 
most of the features above are independent from each other, so one can easily 
reuse them to build other languages, using Maude 2.01’s renaming facility to 
adapt each module to the concrete syntax of the chosen language: 



fmod LANGUAGE-SYNTAX is 
extending IF-SYNTAX . 
extending LET-SYNTAX . 
extending LOOP-SYNTAX 
endfm 



extending ARITHMETIC-EXP-SYNTAX 
extending FUNCTION-SYNTAX . 
extending LETREC-SYNTAX . 
extending EXCEPTION-SYNTAX . 



extending BOOLEAN-EXP-SYNTAX 
extending LIST-SYNTAX . 
extending ASSIGNMENT-SYNTAX . 
extending THREAD-SYNTAX . 



One can now parse programs using Maude’s “parse” command. For example, 
the following program recursively calculating the product of elements in a list, 
will correctly parse as “Exp”. Note that this program uses an exception to im- 
mediately return 0 whenever a 0 is encountered in the input list. 



parse 

let p 1 = try let rec a 1 = if null?(l) then 1 

else if car(l) == 0 then throw 0 
else car(l) * (a cdr(l)) 
in a 1 catch fun x -> x 

in p list(l, 2, 3, 4, 5, 6, 7, 8, 9, 0,10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20) 
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3.2 Defining the State Infrastructure 



Before defining the semantics of a programming language, one needs to define the 
notion of programming language state. There are different possibilities to design 
the state needed to give semantics to a language, depending on its complexity 
and one’s taste. However, any language worth its salt supports identifiers that are 
bound to values; since our language has side effects (due to variable assignments) , 
we need to split the mapping of identifiers to values into a map of identifiers to 
locations, called an environment, and a map of locations to values, called a store. 

Let us first define locations. A location is essentially an integer; to keep it 
distinct from other integers, we wrap it with the constructor “loc” . An auxiliary 
operation creating a given number of locations starting with a given one will be 
very useful when defining bindings and functions, so we provide it here. 



fmod LOCATION is protecting INT . 

sorts Location LocationList . subsort Location < LocationList . 
op loc : Nat -> Location . 
op nil : -> LocationList . 

op : LocationList LocationList -> LocationList [assoc id: nil] . 

op Iocs : Nat Nat -> LocationList . 
eq Iocs (N: Nat ,0) = nil . 

eq Iocs (N : Nat ,#: Nat) = loc (N: Nat), Iocs (N: Nat + 1, #:Nat - 1) . 
endfm 



An elegant and efficient way to define a mapping in Maude is as a set of pairs 
formed with an associative (A) and commutative (C) union operator _| |_ with 
identity (I) empty. Then environments can be defined as below. Note the use of 
ACI matching to evaluate or update an environment at an identifier, so that one 
does not need to traverse the entire set in order to find the desired element: 



fmod ENVIRONMENT is protecting ID . protecting LOCATION . 
sort Env . 
op empty : -> Env . 
op : Id Location -> Env . 

op _ I I _ : Env Env -> Env [assoc comm id: empty] . 
op _[_<-_] : Env IdList LocationList -> Env . 

vars Env : Env . vars L L’ : Location . var XI : IdList . var LI : LocationList . 
eq Env [nil <- nil] = Env . 

eq ( [X : Id,L] || Env) [X: Id, XI <- L’ ,L1] = ([X:Id,L’] || Env) [XI <- LI] . 
eq Env [X: Id, XI <- L,L1] = (Env || [X:Id,L])[Xl <- LI] [owise] . 
endfm 



Values and stores can be defined in a similar way. Since we want our modules to 
be as independent as possible, to be reused for defining other languages, we prefer 
to not state at this moment the particular values that our language handles, such 
as integers, booleans, functions (i.e., closures), etc.. Instead, we define the values 
when they are first needed within the semantics. However, since lists of values 
are frequently used for various reasons, we believe that many languages need 
them so we introduce them as part of the VALUE module: 
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fmod VALUE is sorts Value ValueList . subsort Value < ValueList . 
op noValue : -> Value . 
op nil : -> ValueList . 

op : ValueList ValueList -> ValueList [assoc id: nil] . 

op [_] : ValueList -> Value . 
endfm 

fmod STORE is protecting LOCATION . protecting VALUE . 
sort Store . 
op empty : -> Store . 
op : Location Value -> Store . 

op _ I I _ : Store Store -> Store [assoc comm id: empty] . 
op _[_<-_] : Store LocationList ValueList -> Store . 
var L : Location . var M : Store . vars V V’ : Value . 
var LI : LocationList . var VI : ValueList . 
eq M[nil <- nil] = M . 

eq ( [L,V] || M) [L,L1 <- V’ ,V1] = ([L,V’] II M) [LI <- VI] . 
eq M[L,L1 <- V’ ,V1] = (M | | [L f V»])[Ll <- VI] [owise] . 
endfm 



Since our language has complex control-context constructs, such as exceptions 
and threads, we follow a continuation passing style ( CPS) definitional methodol- 
ogy (see [63] for a discussion on several independent discoveries of continuations) . 
The use of continuations seems to be novel in the context of semantic language 
definitions based on algebraic specification techniques. We have found contin- 
uations to be very useful in several of our programming language definitions, 
not only because they allow us to easily and naturally handle complex control- 
related constructs, but especially because they lead to an increased efficiency in 
simulations and formal analysis, sometimes more than an order of magnitude 
faster than using other techniques. Like for values, at this moment we prefer to 
avoid defining any particular continuation items; we only define the “stop” con- 
tinuation, which will stop the computation, together with the essential operator 
stacking continuation items on top of an existing continuation: 



fmod CONTINUATION is sorts Continuation Continuationltem . 
op stop : -> Continuation . 

op : Continuationltem Continuation -> Continuation . 

endfm 



We are now ready to put all the state infrastructure together and to define the 
state of a program in our language. A key decision in our definitional methodol- 
ogy is to consider states as sets of state attributes, which can be further nested 
at any degree required by the particular language definition. This way, the se- 
mantic equations and rules will be local, and will only have to mention those 
state attributes that are needed to define the semantics of a specific feature, 
thus increasing the clarity, modularity and efficiency of language definitions. 
The following specifies several state attributes, which are so common in mod- 
ern languages that we define them as part of the generic state module. Other 
attributes will be defined later, as needed by specific language features. 

fmod STATE is sorts StateAttribute LState . subsort StateAttribute < LState . 
extending ENVIRONMENT . extending STORE . extending CONTINUATION . 
op empty : -> LState . 

op _ I I _ : LState LState -> LState [assoc comm id: empty] . 
op k : Continuation -> StateAttribute . 
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op n : Nat -> StateAttribute . 
op m : Store -> StateAttribute . 
op t : LState -> StateAttribute . 
op e : Env -> StateAttribute . 
op x : Continuation -> StateAttribute . 
endfm 



“k” wraps a continuation, “n” keeps the current free memory location, “m” the 
store, or “memory”, “t” the state of a thread, “e” the execution environment 
of a thread, so it will be part of the state of a thread, and “x” a continuation of 
exceptions that will also be part of a thread’s state. A typical state of a program 
in our language will have the following structure, 

t(k(...) || e(...) II x C . . . ) II ...) || ... II t(k(...) II e( . . . ) II x C . . . ) II ...) || 

n(N) I I 

m( . . . ) I I 

where the local states of one or more threads are wrapped as global state at- 
tributes using constructors t (...) , where N is a number for the next free loca- 
tion, and m( . . . ) keeps the store. Other state attributes can be added as needed, 
both inside threads and at the top level. Indeed, we will add top state attributes 
storing the locks that are taken by threads, and thread local attributes stat- 
ing how many times each lock is taken by that thread. An important aspect 
of our semantic definitions, facilitated by Maude’s ACI-matching capabilities, is 
that programming language features will be defined modularly, by referring to 
only those attributes that are needed. As we can see below, most of the semantic 
axioms refer to only one continuation! This way, one can add new features requir- 
ing new state attributes, without having to change the already existing semantic 
definitions. Moreover, equations and/or rules can be applied concurrently, thus 
increasing the efficiency of our interpreters and tools. 



3.3 Defining the Semantics 

The general intuition underlying CPS language definitions is that control- 
contexts become data- contexts, so they are manipulated like any other piece of 
data. Each continuation contains a sequence of execution obligations, which are 
stacked and processed accordingly. At each moment there is exactly one expres- 
sion to be processed, namely the topmost expression in the stack. The following 
module gives CPS-semantics to generic expressions, that is, integers, identifiers, 
and lists of expressions. Integer values and several continuation items are needed: 



mod GENERIC-EXP-SEMANTICS is protecting GENERIC-EXP-SYNTAX . extending STATE . 
op int : Int -> Value . 

op : ExpList Continuation -> Continuation . 

op : ValueList Continuation -> Continuation . 

op : Env Continuation -> Continuation . 

var I : Int . var K : Continuation . var X : Id . vars Env Env’ : Env . 

var L : Location . var V : Value . var VI : ValueList . 

var M : Store . var E : Exp . var El : ExpList . var R : LState . 

eq k(I -> K) = k(int(I) -> K) . 

eq k(() -> K) = k( (nil) .ValueList -> K) . 
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rl t(k(X -> K) II e([X,L] II Env) MR) II m([L,V] II M) => 

t(k(V -> K) II e ( [X ,L] II Env) MR) II m([L,V] I I M) . 

ceq k( (E,E1) -> K) = k(E -> El -> K) If El =/= nil . 
eq k(V -> El -> K) = k(El -> V -> K) . 

eq k(Vl -> ¥ -> K) = k(V,Vl -> K) . 

eq k(V -> Env -> K) II e(Env’) = k(V -> K) II e(Env) . 
endm 



The definitions above deserve some discussion. A continuation of the form “E 
-> K” should be read and thought of as one “containing E followed by the rest 
of the computation/continuation K”, and one of the form “V -> K” as one which 
“calculated V as the result of the previous expression at the top, but still has to 
process the computation/continuation K”. Thus the first two equations above are 
clear. Similarly, a continuation “Env -> K” states that the current environment 
should be set to Env; this is needed in order to recover environments after pro- 
cessing bindings or function invocations. In fact, environments only need to be 
restored after a value is calculated in the modified environment; the last equa- 
tion does exactly that. The other three equations process a list of expressions 
incrementally, returning a continuation containing a list of values at the top; 
note that, again, exactly one expression is processed at each moment. 

The trickiest axiom in the above module is the rewriting rule, fetching the 
value associated to an identifier. It heavily exploits ACI matching and can in- 
tuitively be read as follows: if there is any thread whose continuation contains 
an identifier X at the top, whose environment maps X to a location L, and whose 
rest of resources R are not important, if V is the value associated to L in the 
store (note that the store is not part of any thread, because it is shared by all of 
them) then simply return V, the value associate to X, on top of the continuation; 
the rest of the computation K will know what to do with V. It is very important 
to note that this must be a rulel This is because the variable X may be shared by 
several threads, some of them potentially writing it via a variable assignment, so 
a variable read reflects a concurrent aspect of our programming language, whose 
behavior may depend upon the behavior of other threads. 

The CPS semantics of arithmetic and boolean operators is straightforward: 
first place the operation to be performed in the continuation, then the expressions 
involved as a list in the desired order of evaluation (they can have side effects); 
after they are evaluated to a corresponding list of values, replace them by the 
result of the corresponding arithmetic or boolean operator. Note that a new type 
of value is needed for booleans: 



fmod ARITHMETIC-EXP-SEMANTICS is extending ARITHMETIC-EXP-SYNTAX . 
extending GENERIC-EXP-SEMANTICS . 
ops + - * / "i : -> Continuationltem . 

vars E E’ : Exp . vars II’ : Int . var K : Continuation . 

eq k(E + E’ -> K) = k((E,E’) -> + -> K) . 

eq k((int(I), int (I’)) -> + -> K) = k(int(I +1’) -> K) . 

*** *, /, lo are defined similarly 

endfm 

fmod BOOLEAN-EXP-SEMANTICS is protecting BOOLEAN-EXP-SYNTAX . 
extending ARITHMETIC-EXP-SEMANTICS . 
op bool : Bool -> Value . 

ops == >=<=>< and or not : -> Continuationltem . 
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vars EE’ : Exp . var K : Continuation . vars I I 1 : Int . vars B B’ : Bool . 

eq k((E > E’) -> K) = k((E,E’) -> > -> K) . 

eq k( (int (I) , int (I ’ ) ) -> > -> K) = k(bool(I >1’) -> K) . 

*** ==, >=, <=, < are defined similarly 

eq k((E and E’ ) -> K) = k((E,E’) -> and -> K) . 

eq k( (bool(B) ,bool(B’ ) ) -> and -> K) = k(bool(B and B’) -> K) . 

*** ‘or’ and ‘not’ are defined similarly 
endfm 



The CPS semantics of conditionals “if BE then E else E’”is immediate: 
freeze E and E’ in the current continuation K and then place BE on top and 
let it evaluate to a boolean value; then, depending upon the boolean value, un- 
freeze either E or E J and continue the computation. Note that a Maude “runtime 
error”, i.e., a non-reducible term acting as a “core dump”, will be obtained if 
BE does not evaluate to a boolean value. In fact, our programming language can 
be seen as a dynamically typed language; as shown in the lecture notes in [64], 
it is actually not hard to define static type checkers, but we do not discuss this 
aspect here: 



fmod IF-SEMANTICS is protecting IF-SYNTAX . extending BOOLEAN-EXP-SEMANTICS . 
op if : Exp Exp -> Continuationltem . 

vars BE E E’ : Exp . var K : Continuation . var B : Bool . 
eq k( (if BE then E else E’ ) -> K) = k(BE -> if(E,E’) -> K) . 
eq k(bool(B) -> if(E,E’) -> K) = k(if B then E else E’ fi -> K) . 
endfm 



Following the same CPS intuitions, the semantics of lists follows easily: 



fmod LIST-SEMANTICS is protecting LIST-SYNTAX . 
extending BOOLEAN-EXP-SEMANTICS . 

ops list car cdr cons null? : -> Continuationltem . 

var E E’ : Exp . var El : ExpList . var K : Continuation . 

var V : Value . var VI : ValueList . var Env : Env . 

eq k(list(El) -> K) = k(El -> list -> K) . eq k(Vl -> list -> K) = k([Vl] -> K) . 
eq k(car(E) -> K) = k(E -> car -> K) . eq k([V,Vl] -> car -> K) = k(V -> K) . 

*** ‘cdr’, ‘cons’ and ‘null’ are defined similarly 
endfm 



Due to the simplifying rule in FUNCTION-SYNTAX, we only need to worry about 
giving semantics to functions of one argument, which can be either an identifier 
or Since our language is statically scoped, we need to introduce a new value 
for closures, freezing the declaration environment of a function (1st equation). 
Function applications are defined as usual, by first evaluating the two expressions 
involved, the first being expected to evaluate to a closure, and then applying the 
first value to the second (a new continuation item, “apply” is needed). Two 
cases are distinguished here, when the argument of the function is the unit “()” 
or when it is an identifier X. In both cases the current environment is stored in 
the continuation, to be recovered later (after the evaluation of the body of the 
function) via the last equation in GENERIC-EXP-SEMANTICS, and the body of the 
function is evaluated in its declaration environment, that is frozen in the closure. 
When the function has an argument, a new location also needs to be created. 
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fmod FUNCTION-SEMANTICS is protecting FUNCTION-SYNTAX . extending GENERIC-EXP-SEMANTICS . 
op cl : Name Exp Env -> Value . 
op apply : -> Continuationltem . 

var A : Name . vars F E : Exp . var K : Continuation . vars Env Env’ : Env . 
var X : Id . var N : Nat . var R : LState . var V : Value . var M : Store . 
eq k((fun A -> E) -> K) II e(Env) = k(cl(A,E,Env) -> K) II e(Env) . 
eq k(F E -> K) = k(F,E -> apply -> K) . 

eq k( (cl( () ,E,Env) , nil) -> apply -> K) II e(Env’) = k(E -> Env’ -> K) II e(Env) . 
eq t(k((cl(X,E,Env) , V) -> apply -> K) II e(Env’) MR) II n(N) I I m(M) = 

t (k(E -> Env’ -> K) II e(Env[X <- loc(N)]) | I R) | | n(N + 1) II m(M[loc(N) <- V]) . 

endfm 



LET and LETREC create new memory locations and change the execution environ- 
ment. With the provided infrastructure, they are however quite easy to define. 
Note first that the desugaring translation in the module BINDING-SYNTAX reduces 
any list of bindings to a triple (# , XI , El) , where # is the number of bindings, XI 
is the list of identifiers to be bound, and El is the list of corresponding binding 
expressions. If let (#,X1,E1) in E is the current expression at the top of the 
continuation of a thread whose current environment is Env and whose rest of 
resources is R, and if N is the next available location (this is a global counter), 
then the CPS semantics works intuitively as follows: (1) freeze the current envi- 
ronment in the continuation, to be restored after the evaluation of E; (2) place E 
in the continuation; (3) generate # fresh locations and place in the continuation 
data-structure the information that these locations will be assigned to the iden- 
tifiers in XI at the appropriate moment, using an appropriate continuation item; 
(4) place the expressions El on top of the continuation; (5) once El is evaluated 
to a list of values VI, they are stored at the new locations and the environment 
of the thread is modified accordingly, preparing for the evaluation of E; (6) af- 
ter E is evaluated, the original environment will be restored, thanks to (1) and 
the last equation in GENERIC-EXP-SEMANTICS. All these technical steps can be 
compactly expressed with only two equations, again relying heavily on the ACI 
matching capabilities of Maude. Note that, despite their heavy use of memory, 
these equations do not need to be rules, because they can be executed deter- 
ministically regardless of the behavior of other threads. The fact that threads 
“compete” on the counter for the next available location N is immaterial, because 
there is no program whose behavior is influenced by which thread grabs N first. 



fmod LET-SEMANTICS is protecting LET-SYNTAX . extending GENERIC-EXP-SEMANTICS . 
op *(_,_*) : IdList LocationList -> Continuationltem . 
vars # N : Nat . var XI : IdList . var El : ExpList . var E : Exp . 
var K : Continuation . var Env : Env . var R : LState . var M : Store . 
var LI : LocationList . var VI : ValueList . 
eq t (k(let (#,X1,E1) in E -> K) || e(Env) I I R) || n(N) = 

t (k(El -> (XI, Iocs (N,#)) -> E -> Env -> K) || e(Env) I I R) | | n(N + #) . 
eq t (k(Vl -> (XI, LI) -> K) I I e(Env) I I R) I I m(M) = 
t (k(K) || e (Env [XI <- LI]) I I R) II m(M[Ll <- VI]) . 

endfm 



The let rec construct gives a statically scoped language an enormous power 
by allowing one to define recursive functions. Semantically, the crucial difference 
between let and let rec is that the latter evaluates the bindings expressions El 
in the modified environment rather than in the original environment. Therefore, 
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one first creates the new environment by mapping XI to # fresh locations, then 
evaluates El, then stores their values at the new locations, then evaluates E and 
then restores the environment. This way, functions declared with let rec see 
each other’s names in their closures, so they can call each other: 



fmod LETREC-SEMANTICS is protecting LETREC-SYNTAX . extending GENERIC-EXP-SEMANTICS . 
op : LocationList Continuation -> Continuation . 

vars # N : Nat . var XI : IdList . var El : ExpList . var E : Exp . 
var K : Continuation . var Env : Env . var R : LState . var M : Store . 
var LI : LocationList . var VI : ValueList . 
eq t(k(let rec (#,X1,E1) in E -> K) II e(Env) | I R) II n(N) = 

t (k(El -> locs(N,#) -> E -> Env -> K) II e(Env[Xl <- locs(N,#)]) MR) II n(N + #) 
eq t (k(Vl -> LI -> K) I I R) I I m(M) = t(k(K) | | R) II m(M[Ll <- VI]) . 
endfm 



So far, none of the language constructs had side effects. Variable assignments, 
X := E, evaluate E and store its value at the existing location of X. Therefore, X 
is expected to have been previously bound, otherwise a “runtime error” will be 
reported. It is very important that the actual writing of the value is performed 
using a rewriting rule, not an equation! This is because variable writing is a 
concurrent action, potentially influencing the execution of other threads that 
may read that variable. To distinguish this concurrent value writing from the 
value writing that occurred as part of the semantics of let rec, defined using the 
last equation in the module LETREC-SEMANTICS, we use a different continuation 
constructor for placing a location on a continuation (“L => K”): 



mod ASSIGNMENT-SEMANTICS is extending ASSIGNMENT-SYNTAX . 
extending GENERIC-EXP-SEMANTICS . 

var X : Name . var E : Exp . var Env : Env . var K : Continuation . 

var L : Location . var V : Value . var M : Store . var R : LState . 

op _=>_ : Location Continuation -> Continuation . 

eq k( (X := E) -> K) || e([X,L] || Env) = k(E -> L => noValue -> K) || e([X,L] II Env) . 

rl t (k(V -> L => K) ||R) || m(M) => t(k(K) I I R) II m(M[L <- V] ) . 

endm 



Blocks are quite straightforward: the semicolon-separated expressions are evalu- 
ated in order and the result of the evaluation of the block is the value of the last 
expression; the values of the other expressions except the last one are ignored. 
Therefore, the expressions in a block are used for their side effects: 



fmod BLOCK-SEMANTICS is extending BLOCK-SYNTAX . extending GENERIC-EXP-SEMANTICS . 
op ignore : -> Continuationltem . 

var E : Exp . var Eb : ExpBlock . var K : Continuation . var V : Value . 
eq k({E> -> K) = k(E -> K) . 

eq k({E ; Eb} -> K) = k(E -> ignore -> {Eb} -> K) . 
eq k(V -> ignore -> K) = k(K) . 
endfm 



There is nothing special in the CPS semantics of loops: the body of the loop 
followed by its condition are placed on top of the continuation at each iteration, 
and the loop is terminated when the condition becomes false. The evaluation of 
loops returns no value, so loops are also used just for their side effects: 
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fmod LOOP- SEMANTICS is extending LOOP-SYNTAX . extending BOOLEAN-EXP-SEMANTICS . 
op while : Exp Exp -> Continuationltem . 

vars BE E : Exp . var VI : ValueList . var K : Continuation . 
eq k( (while BE E) -> K) = k(BE -> while(BE,E) -> K) . 

eq k( (VI, bool (true)) -> while(BE,E) -> K) = k((E,BE) -> while(BE,E) -> K) . 
eq k((Vl,bool(false)) -> while(BE,E) -> K) = k(noValue -> K) . 
endfm 



We next define the semantics of exceptions. Whenever an expression of the form 
try E catch E’ is encountered, E’ is first evaluated. Then E is evaluated; if 
throw (E’ ’ ) is encountered during the evaluation of E, then the entire control 
context within E is immediately discarded and the value of E’ ’ is passed to 
E’, which was previously supposed to evaluate to a function; if no exception 
is thrown during the evaluation of E, then E’ is discarded and the value of E 
is returned as the value of try E catch E’. An interesting technicality here 
is that the above mechanism can be elegantly implemented by maintaining an 
additional continuation within each thread, wrapped within “x(. . .)”, freezing 
and stacking the control contexts, i.e., the continuations, at the times when the 
try E catch E’ expressions are encountered (note that these can be nested): 

fmod EXCEPTION-SEMANTICS is protecting EXCEPTION-SYNTAX . extending FUNCTION-SEMANTICS . 
op try : Exp -> Continuationltem . 
op popx : -> Continuation . 

op *(_,_*) : Value Continuation -> Continuationltem . 
op throw : -> Continuationltem . 

vars EE’ : Exp . vars K K’ EX : Continuation . vars V V 1 : Value . 
eq k(try E catch E’ -> K) = k(E’ -> try(E) -> K) . 
eq k(V’ -> try (E) -> K) || x(EX) = k(E -> popx) || x((V\K) -> EX) . 
eq k(V -> popx) I I x((V\K) -> EX) = k(V -> K) | | x(EX) . 
eq k(throw(E) -> K) = k(E -> throw -> K) . 

eq k(V -> throw -> K’ ) I I x((V\K) -> EX) = k((V\V) -> apply -> K) II x(EX) . 
endfm 



The only feature left to define is threads. In what follows we assume that one 
already has a definition for sets of integers with membership, INT-SET, and one 
for sets of pairs of integers, COUNTER-SET. Both of these are trivial to define, so we 
do not discuss them here. The former will be used to store all the synchronization 
objects, or locks , that are already acquired, and the latter to store how many 
times a thread has acquired a lock, so that it knows how many times it needs to 
release it. These are wrapped as program state attributes: 



mod THREAD-SEMANTICS is protecting THREAD-SYNTAX . extending GENERIC-EXP-SEMANTICS . 
protecting INT-SET . protecting COUNTER-SET . 
op c : CounterSet -> StateAttribute . 
op b : IntSet -> StateAttribute . 



A new type of value is needed, namely one for locks. A lock is just an integer, 
which is wrapped with lockv to keep it distinct from other integer values: 

op lockv : Int -> Value . 



Newly created threads are executed for their side effects. At the end of their 
execution, threads release their locks and kill themselves. Therefore, we introduce 
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a new continuation, die, to distinguish the termination of a thread from the 
termination of the main program. The creation of a new thread is a no value 
operation. The new thread inherits the execution environment from its parent: 

op die : -> Continuation . 

ops lock acquire release : -> Continuationltem . 

var E : Exp . var K : Continuation . var Env : Env . var R : LState . var I : Int . 

var V : Value . var Cs : CounterSet . var Is : IntSet . var N : Nat . var Nz : NzNat . 

eq t(k(spawn(E) -> K) II e(Env) | | R) = t(k(noValue -> K) II e(Env) MR) II 
t(k(E -> die) I I e(Env) I I x(stop) | | c (empty)) . 
eq t(k(V -> die) || c([I,N] I I Cs) I I R) I I b(I | I Is) = 
t(k(V -> die) I | c(Cs) | | R) II b(Is) . 

eq t(k(V -> die) I | c (empty) I I R) = empty . 



Locks are values which can be handled like any other values in the language. In 
particular, they can be passed to and returned as results of functions; lock(E) 
evaluates E to an integer value I and then generates the value lockv(I): 



eq k(lockCE) -> K) = k(E -> lock -> K) . 
eq k(int(I) -> lock -> K) = k(lockv(I) -> K) . 



Acquiring a lock needs to distinguish two cases. If the current thread already 
has the lock, reflected in the fact that it has a counter associated to that lock, 
then it just needs to increment that counter. This operation is not influenced by, 
and does not influence, the execution of other threads, so it can be defined using 
an ordinary equation. The other case, when a thread wants to acquire a lock 
which it does not hold already, needs to be a rewriting rule for obvious reasons: 
the execution of other threads may be influenced, so the global behavior of the 
program may be influenced. Once the new lock is taken, a thread local counter 
is created and initialized to 0, and the lock is declared “busy” in b(. . .). This 
rule is conditional, in that the lock can be acquired only if it is not busy: 



eq k (acquire (E) -> K) = k(E -> acquire -> K) . 
eq k(lockv(I) -> acquire -> K) II c([I, N] II Cs) = 
k(noValue -> K) || c([I, N + 1] I I Cs) . 
crl t(k(lockv(I) -> acquire -> K) I | c(Cs) MR) II b(Is) => 

t(k(noValue -> K) II c([I, 0] II Cs) II R) II b(I | | Is) if not (I in Is) 



Dually, releasing a lock also involves two cases. However, both of these can 
be safely defined with equations, because threads do not need to compete on 
releasing locks: 



eq k(release(E) -> K) = k(E -> release -> K) . 
eq k(lockv(I) -> release -> K) II c([I, Nz] II Cs) = 
k(noValue -> K) || c([I, Nz - 1] II Cs) . 
eq t(k(lockv(I) -> release -> K) II c([I, 0] | | Cs) II R) II b(I I I Is) = 
t(k(noValue -> K) II c(Cs) MR) II b(Is) . 

endm 



All the features of our programming language have been given CPS rewriting 
logic semantics, so we can now put all the semantic specifications together and 
complete the definition of our language: 
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fmod LANGUAGE-SEMANTICS is extending ARITHMETIC-EXP-SEMANTICS 



extending IF-SEMANTICS . 
extending LETREC-SEMANTICS 
extending LIST-SEMANTICS . 

extending LOOP-SEMANTICS . 
extending THREAD-SEMANTICS 



extending BOOLEAN-EXP-SEMANTICS 
extending LET-SEMANTICS . 
extending FUNCTION-SEMANTICS . 
extending ASSIGNMENT-SEMANTICS . 
extending BLOCK-SEMANTICS . 
extending EXCEPTION-SEMANTICS . 
op eval : Exp -> [Value] . 
op [_] : LState -> [Value] [strat(l 0)] . 
var E : Exp . vars R S : LState . var V : Value . 
eq eval(E) = [t(k(E -> stop) II e(empty) II x(stop) II c(empty)) II 
n(0) I | m (empty) I I b (empty)] . 
eq [t(k(V -> stop) I I R) I I S] = V . 
endfm 



The main operator that enables all the semantic definitions above is eval, which 
may or may not return a proper value. As the definition of the auxiliary operator 
[_] shows, eval returns a proper value if and only if the original thread (the only 
one whose continuation is built on top of stop) evaluates to a proper value V. 
The definition of eval above also shows the various state attributes involved, as 
well as their nesting and grouping: the thread state attribute, t ( . . . ) , includes a 
continuation (k), an environment (e), an exception continuation (x), and a lock 
counter set (c); the other global state attributes, laying at the same top level as 
the thread attributes, are a counter for the next free location (n), a “memory” 
wrapping a mapping from locations to values (m), and a set of “busy” locks (b). 



3.4 Getting an Interpreter for Free 

Since Maude can efficiently execute rewriting logic specifications, an immediate 
benefit of defining the semantics of a programming language in rewriting logic 
is that we obtain an interpreter for that language with no extra effort. All what 
we have to do is to “rewrite” terms of the form eval (E) , which should reduce 
to values. For example, the evaluation of the following factorial program 

rew eval( 

let rec f n = 

if n == 0 then 1 else n * f(n - 1) 
in f 100 
) . 

takes 5151 rewrites and terminates in 64ms 8 . with the following result: 



result Value : int (9332621544394415268169923885626670049071596826438162146859296389521759 
9993229915608941463976156518286253697920827223758251185210916864000000000000000000000000) 



The following recursive program calculating the product of elements in a list 
is indeed evaluated to int(0) (in 716 rewrites). This program is “inefficient” 
because the product function returns normally from its recursive calls when a 0 
is encountered, which can be quite time consuming in many situations: 



All the performance results in this paper were measured on a 2.4GHz PC. 
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rew eval( 

let rec p 1 = 

if null?(l) then 1 else if car(l) == 0 then 0 else car(l) * (p cdr(l)) 
in p list(l, 2, 3, 4, 5, 6, 7, 8, 9, 0,10, 11, 12, 13, 14, 15, 16, 17, 18, 19,20) 

) . 



Since our language has exceptions, a better version of the same program (reduc- 
ing in 675 rewrites) is one which throws an exception when a 0 is encountered, 
thus exiting all the recursive calls at once: 

rew eval( 

let p 1 = try let rec a 1 = 

if null?(l) then 1 

else if car(l) == 0 then throw 0 else car(l) * (a cdr(l)) 
in a 1 

catch fun x -> x 

in p list(l, 2, 3, 4, 5, 6, 7, 8, 9, 0,10, 11, 12, 13, 14, 15, 16, 17, 18, 19,20) 

) . 

To illustrate the imperative features of our language, let us consider Collatz’ 
conjecture, stating that the procedure, dividing n by 2 if it is even and multi- 
plying it by 3 and adding 1 if it is odd, eventually reaches 1 for any n). For our 
particular n below, it takes 73284 rewrites in 0.3s to evaluate to int(813): 

rew eval( 

let n = 21342423543653426527423676545 and c = 0 

in {while n > 1 { 

if 2 * (n / 2) == n then n := n / 2 else n := 3 * n + 1 ; 
c := c + 1 
> ; 
c > 

) . 

Let us next illustrate some concurrent aspects of our language. The following 
program spawns a thread that assigns 1 to a and then recursively increments a 
counter c until a becomes indeed 1. Any possible value for the counter can be 
obtained, depending upon when the spawned thread is scheduled for execution: 

rew eval( 

let a = 0 and c = 0 in { 
spawn(a := 1) ; 

let rec f() = if a == 1 then c else {c := c + 1 ; f () }- in f() 

} 

) . 

We are currently letting Maude schedule the execution of threads based on its 
internal default scheduler for applications of rewrite rules, which in the example 
above leads to an answer int(0). Note, however, that one can also use Maude’s 
fair rewrite command frew instead of rew, or one can even define one’s own 
scheduler using Maude’s meta-level capabilities. Even though we will not discuss 
thread scheduling aspects in this paper, in the next section we will show how one 
can use Maude’s search capability to find executions leading to other possible 
results for the program above, for example int(10). 
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An inherent problem in multithreaded languages is that several threads may 
access the same location at the same time, and if at least one of these accesses 
is a write this can lead to dataraces. The following program contains a datarace: 

rew eval( 

let x = 0 in { 

spawn (x := x + 1) ; 
spawn (x := x + 1) ; 
x 

} 

) . 



Maude’s default scheduler happens to schedule the two spawned threads above 
such that no datarace occurs, the reported answer being int (2) . However, under 
different thread interleavings the reported value of x can also be 0 or even 1. The 
latter reflects the datarace phenomenon: both threads read the value of x before 
any of them writes it, and then they both write the incremented value. Using 
search, we show in the next section that both int(O) and int(l) can be valid 
results of the program above. Thread synchronization mechanisms are necessary 
in order to avoid dataraces. We use locks for synchronization in our language. For 
example, the following program is datarace free, because each thread acquires 
the lock lock(l) before accessing its critical region. Note, however, that the 
final result of this program is still non-deterministic (can be either 2 or -1): 

rew eval( 

let a = 1 and b = 1 and x = 0 and 1 = lock(l) in { 

spawn {acquire 1 ; x := x + 1 ; release 1 ; a := 0} ; 

spawn {acquire 1 ; x := x + 1 ; release 1 ; b := 0} ; 

if (a == 0) and (b == 0) then x else -1 

} 

) . 



3.5 Specifying Java and the JVM 

The language presented above was selected and designed to be as simple as pos- 
sible, yet including a substantial range of features, such as lrigh-order and imper- 
ative features, static scoping, recursion, exceptions and concurrency. However, 
we are actively using the rewriting logic semantics approach to formally define 
different programming paradigms and large fragments of several languages, in- 
cluding Scheme, OCaml, ML, Pascal, Java, and JVM, several of them covered 
in a programming language design course at UIUC [64]. 

Java has been recently defined at UIUC by Feng Chen in about three weeks, us- 
ing a CPS semantics as above, with 600 equations and 15 rewrite rules. Azadeh 
Farzan has developed a more direct rewriting logic specification for the JVM, not 
based on continuations, specifying about 150 out of 250 bytecode instructions 
with around 300 equations and 40 rewrite rules. The continuations-based style 
used in this paper should be regarded as just a definitional methodology, which 
may not be appropriate for some languages, especially for lower level ones. Both 
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the Java and the JVM specifications include multithreading, inheritance, poly- 
morphism, object references, and dynamic object allocation. We do not support 
native methods nor many of the Java built-in libraries at present. The definition 
of Java follows closely the style used to define our sample language above, with 
states consisting of multisets of potentially nested state attributes. A new type 
of value is introduced for objects, wrapping also the name of the class that the 
object is an instance of, which is necessary in order to have access to that object’s 
methods. The essential difference in the definitional styles of Java and the JVM 
is that the latter follows the object paradigm of Maude [42], considering objects 
also as part of the state multiset structure; and method calls are translated into 
messages that objects can send to each other, by placing them into the multiset 
state as well. Rewrites (with rewrite rules and equations) in this multiset model 
the changes in the state of the JVM. 



4 Formal Analysis of Concurrent Programs 

Specifying formally the rewriting logic semantics of a programming language in 
Maude, besides providing an increased understanding of all the details underlying 
a language design, also yields a prototype interpreter for free. Furthermore, a 
solid foundational framework for program analysis is obtained. It is conceptually 
meaningless to speak about rigorous verification of programs without a formal 
definition of the semantics of that language. Once a definition of a language is 
given in Maude, thanks to generic analysis tools for rewriting logic specifications 
that are efficiently implemented and currently provided as part of the Maude 
system, we additionally get the following important analysis tools also for free: 

1. a semi-decision procedure to find failures of safety properties in a (possibly 
infinite-state) concurrent program using Maude’s search command; 

2. an LTL model checker for finite-state programs or program abstractions; 

3. a theorem prover (Maude’s ITP [20]) that can be used to semi-automatically 
prove programs correct. 

We only focus on the first two items in this paper, because they are entirely auto- 
matic (except of course for the need to equationally define the atomic predicates 
of interest in temporal logic formulas) . 



4.1 Search 

We have seen several examples where concurrent programs can have quite non- 
deterministic behaviors due to many possible thread interleavings, some of them 
leading to undesired behaviors, e.g., clataraces, due to lack of synchronization. 
Using Maude’s search command, one can search a potentially infinite state 
space for behaviors of interest. Since such a search is performed in a breadth- 
first manner, if any safety violation exists then it will eventually be found, i.e. , 
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this is a semi-decision procedure for finding such errors. For example, the fol- 
lowing two-tlrreaded program which evaluates to 0 in Maude under its default 
scheduling, can be shown to evaluate to any possible integer value. It takes 11ms 
to hud an interleaving that leads to int(10), after exploring 108 states: 



search [1] eval( let a = 0 and c = 0 in { 
spawn (a := 1) ; 

let rec f() = if a == 1 then c else {c := c + 1 ; f()} in f() 

} ) =>* int(10) . 

One can show that the poorly synchronized program in Section 3.4 has a 
datarace, 



search [1] eval( let x = 0 in { 

spawn (x := x + 1) ; 
spawn (x := x + 1) ; 
x 

> ) =>+ int(l) . 



and also that the properly synchronized version of it is datarace free: 

search [1] eval( let a = 1 and b = 1 and x = 0 and 1 = lock(l) in { 

spawn {acquire 1 ; x := x + 1 ; release 1 ; a := 0} ; 

spawn {acquire 1 ; x := x + 1 ; release 1 ; b := 0} ; 

if (a == 0) and (b == 0) then x else -1 
> ) =>+ int(l) . 



The above returns “No solution”, after exploring all 90 possible states in 23ms. 
If one wants to see the state space generated by the previous search command, 
one can type the command “show search graph” . An interesting example show- 
ing that dataraces can be arbitrarily dangerous was proposed by J. Moore [54], 
where two threads performing the assignment “c : = c + c” for some shared 
variable c, can lead to any possible integer value for c. The following shows how 
one can test whether the value 25 can be reached. It takes Maude about Is to 
explore 4696 states and find a possible interleaving leading to the final result 25: 



search [1] eval( let rec c = 1 and f() = {c := c + c ; f()} in { 
spawn f ( ) ; 
spawn f ( ) ; 
c 

> ) =>! int (25) . 



4.2 Model Checking 

When the state space of a concurrent program is finite, one can exhaustively 
analyze all its possible executions and check them against temporal logic prop- 
erties. Currently, Maude provides a builtin explicit-state model checker for linear 
temporal logic (LTL) comparable in speed to SPIN [24] , which can be easily used 
to model check programs once a programming language semantics is defined as 
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a rewriting logic specification. The module MODEL-CHECKER, part of Maude’s dis- 
tribution, exports sorts State, Prop, and a binary “satisfaction” operator _|=_ 
: State Prop -> Bool. In order to define temporal properties to model-check, 
the user has to first define state predicates using the satisfaction operation. 

To exemplify this analysis technique, we next consider the classical dining 
philosophers problem. The property of interest in this example is that the pro- 
gram terminates, so we only need one state predicate, terminates, which holds 
whenever a proper value is obtained as a result of the execution of the program 
(note that eval may not always return a proper value; its result was the kind 
[Value] ): 



fmod CHECK is extending MODEL-CHECKER . extending LANGUAGE-SEMANTICS . 
subsort Value < State . 
op terminates : -> Prop . 
eq V: Value |= terminates = true . 
endfm 



We can model check a five dining philosophers program as follows: 



red modelCheck(eval( let n = 5 and i = 1 and 

f x = { acquire lock(x) ; acquire lock(x + 1) ; 

eat 

release lock(x + 1) ; release lock(x) } 
in { while i < n 

{ spawn (f i) ; i := i + 1 } ; 
acquire lock(n) ; acquire lock(l) ; 

eat 

release lock(l) ; release lock(n) } ) , <> terminates) . 



Maude’s model checker detects the deadlock and returns a counterexample trace 
in about 0.5s. If one fixes this program to avoid deadlocks, for example as follows: 



red modelCheck(eval( let n = 5 and i = 1 and 
f x = if x % 2 == 1 



then { acquire lock(x) ; acquire lock(x + 1) ; 
eat 

release lock(x + 1); release lock(x) } 
else { acquire lock(x + 1) ; acquire lock(x) ; 
eat 

release lock(x) ; release lock(x + 1) } 



in { while i < n 

{ spawn (f i) ; i := i 
if n 7. 2 == 1 
then { acquire lock(n) ; 
eat 

release lock(l); 
else { acquire lock(l) ; 
eat 

release lock(n) ; 



+ 1 > ; 

acquire lock(l) ; 

release lock(n) } 
acquire lock(n) ; 

release lock(l) }■}■), 



<> terminates) . 



then the model-checker analyzes the entire state space and returns true, meaning 
that the program will terminate for any possible thread interleaving. 
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4.3 Formal Analysis of Java Multithreaded Programs 

In joint work with Azadeh Farzan and Feng Cheng, we are using Maude to 
develop JavaFAN (Java Formal ANalyzer) [27,26], a tool in which Java and 
JVM code can be executed and formally analyzed. JavaFAN is based on Maude 
rewriting logic specifications of Java and JVM (see Section 3.5). Since JavaFAN 
is intended to be a Java analysis tool rather than a programming language design 
platform, we have put a special emphasis on its efficiency. When several ways 
to give semantics to a feature were possible, we have selected the one which 
performed better on our benchmarks, instead of the mathematically simplest 
one. In this section we discuss JavaFAN and some of the experiments that we 
performed with it. They support the claim that the rewriting logic approach to 
formal semantics of programming languages presented in this paper is not only 
a clean theoretical model unifying SOS and equational semantics, but also a 
potentially powerful practical framework for developing software analysis tools. 




CO • Data ( ) : Module <' '> : Outside Tool ► : Module Invocation 1 £ > : Input / Output 



Fig. 1 . Architecture of JavaFAN. 

Figure 1 presents the architecture of JavaFAN. The user interface module 
hides Maude behind a user-friendly environment. It also plays the role of a 
dispatcher, sending the Java source or the bytecode to Java or JVM analyzers, 
respectively. The analyzers wrap the input programs into Maude modules and 
invoke Maude, which analyzes the code based on the formal specifications of 
the Java language and of the JVM. The output formatter collects the output of 
Maude, transforms it into a user-readable format, and sends it to the user. 

We next discuss some of the examples analyzed with JavaFAN and com- 
parisons to other similar tools. The Remote Agent (RA) is a spacecraft con- 
troller, part NASA’s Deep Space 1 shuttle, that deadlocked 96 million miles 
from Earth due to a datarace. This example has been extensively studied in [32, 
33]. JavaFAN’s search found the deadlock in 0.1 seconds at the source code level 
and in 0.3 seconds at the bytecode level, while the tool in [61] finds it in more 
than 2 seconds. Another comparison with [61] was done on a 2 stage pipeline 
code, each stage executing as a separate thread, against a property taken from 
[61]. JavaFAN model checks the property in 17 minutes, while the tool in [61], 
without partial order reduction optimizations 9 , does it in more than 100 min- 
utes. JavaFAN can detect the deadlock for up to 9 philosophers. Other Java 

9 JavaFAN is currently just a brute force, unoptimized explicit state model checker. 
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model checkers, with support for heuristics and abstraction techniques such as 
Java PathFinder (JPF) [88,11,34], can do larger numbers. If the deadlock poten- 
tial is removed, like in Section 4.2, thus diminishing the role of heuristics, then 
JavaFAN can prove the program deadlock-free for up to 7 philosophers, while 
JPF cannot deal with 4 philosophers (on the same program) . All these examples 
as well as the JavaFAN system are available on the web [25]. 



4.4 Performance of the Formal Analysis Tools 

There are two reasons for the efficiency of the formal analysis tools for languages 
whose rewriting logic semantics is given in Maude, and in particular for which 
JavaFAN compares favorably with more conventional Java analysis tools: 

1. The high performance of Maude for execution, search, and model checking; 

2. The optimized equational and rule definitions. 

Maude’s rewriting engine is highly optimized and can perform millions of rewrite 
steps per second, while its model checker is comparable in speed with SPIN 
[24]. In addition to these, we have used performance-enhancing specification 
techniques, including: expressing as equations the semantics of all determinis- 
tic computations, and as rules only concurrent computations (since rewriting 
happens modulo equations, only rules contribute to state space size); favoring 
unconditional equations and rules over less efficient conditional versions; and 
using a continuation passing style in semantic equations. 



5 SOS and Equational Semantics Revisited 

Now that rewriting logic semantics has been explained and has been illustrated 
in detail, we take a second look at how equational semantics and SOS are unified 
within rewriting logic semantics. We also explain how their respective limitations 
are overcome within this broader semantic framework. 



5.1 Unification of Equational Semantics 

If R is empty in a rewrite theory 1Z = (A, E, <fi , R), then <j> is irrelevant and 1Z be- 
comes an equational theory , and the initial model Tp> e ach(-R) becomes in essence 
the initial algebra Te/e- Therefore, equational logic is a sublogic of rewriting 
logic, and initial algebra semantics is a special case of rewriting logic’s initial 
model semantics. That is, equational semantics is a special case of rewriting 
logic semantics, namely the case when R = 0. Higher-order semantic equations 
can be integrated in two alternative ways. On the one hand, we can make ev- 
erything first-order by means of an explicit substitution calculus or the use of 
combinators. On the other hand, we can embed higher-order semantic equations 
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within a higher-order version of rewriting logic such as Stehr’s open calculus of 
constructions (OCC) [71]. Either way, since OCC and many other lrigher-orcler 
calculi can be faithfully represented in first-order rewriting logic [72,71], it is 
possible to execute such definitions in a rewriting logic language such as Maude. 

Integrating equational semantics within rewriting logic makes the limitations 
in handling concurrency mentioned in Section 1.1 disappear, since all determin- 
istic computations of a language can still be specified by equations, but the 
means missing in equational semantics to properly handle concurrency are now 
provided by rewrite rules. Furthermore, the extension from equational logic to 
rewriting logic is conservative and all the good proof- and model-theoretic prop- 
erties are preserved in the extension. This leaves us with the pending issue of 
modularity, which is discussed in Section 5.3. 



5.2 Unification of SOS and Reduction Semantics 

SOS can also be integrated within rewriting logic. This has been understood 
from the early stages of rewriting logic [41,48,40], and has led to several imple- 
mentations of SOS definitions [9,81]. Intuitively, an SOS rule of the form, 

P 1 > P l Pn-*K 

Q — >Q' 

corresponds to a rewrite rule with rewrites in its condition. There is however an 
important difference between the meaning of a transition P — > Q in SOS and a 
sequent P — > Q in rewriting logic. In SOS a transition P — > Q is always a one- 
step transition. Instead, because of Reflexivity and Transitivity, a rewriting 
logic sequent P — > Q may involve many rewrite steps; furthermore, because of 
the Congruence, such steps may correspond to rewriting subterms. 

Since the conditions in a conditional rewrite rule may involve many rewrite 
steps, whereas the transitions in the condition of an SOS rule are one-step tran- 
sitions, in order to faithfully represent an SOS rule we have somehow to “dumb 
down” the rewriting logic inference system. Of course we do not want to actually 
change rewriting logic’s inference rules: we just want to get the effect of such a 
change, so that in fact only the Replacement rule is used. This can be achieved 
by representing an SOS specification as a suitable rewrite theory that, due to its 
construction, precludes the application of the other inference rules in the logic. 
We explain how this can be done for an SOS specification consisting of unlabeled 
SOS rules of the general form described above. We can think of such an SOS 
specification as a pair S = (£,R), where £ is a many-sorted signature, and 
the rules R are of the general form described above, where the Ps and Qs are 
17-terms having the same sort whenever they appear in the same transition. The 
SOS rules are then applied to substitution instances of the patterns appearing in 
each rule in the usual SOS way. The corresponding rewrite theory representing 
S is denoted S and is S = (£, OP , <f>, P), where: 

— £ is the MEL signature obtained from £ by: 
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• adding a kind [s] for each sort s in £, so that the set of sorts for kind 
[s] is the singleton set {s} 

• adding for each f : si ... s n — > s in £ an operator / : [si] . . . [s„] — ► [s] 

• adding for each kind [s] two operators [_] : [s] — > [s] and (_) : [s] — > [s]. 

— OP is the set of axioms associating to each operator f : s\ . . . s n — > s in 
£ the membership V(xi : Si, ... ,x n : s n ) f{x i, . . . , x n ) : s, so that terms of 
the old sorts in £ remain well-sorted in £ 

— (f> declares all arguments in all operators in £ frozen, and 

— R has for each SOS rule in R a corresponding rewrite rule 



[Q\ — ► (Q') ^ [-Pi] — ► (Pi) A ... A [P n ] > (P' n ), 

The key result is then the following lemma, that we state without proof: 
Lemma 1. For any ground £ -terms t,t' of the same sort, we have 

S Psos t — » t' <=> S I ~rwl M — » (t 1 ) 

where \~sos an d I ~rwl denote the SOS and rewriting logic inference systems. 

In general, SOS rules may have labels, decorations, and side conditions. In 
fact, there are many SOS rule variants and formats. For example, additional 
semantic information about stores or environments can be used to decorate an 
SOS rule. Therefore, showing in detail how SOS rules in each particular variant 
or format can be faithfully represented by corresponding rewrite rules would be 
a tedious business. Fortunately, Peter Mosses, in his modular structural opera- 
tional semantics (MSOS) [57,58,55], has managed to neatly pack all the various 
pieces of semantic information usually scattered throughout a standard SOS rule 
inside rule labels, where now labels have a record structure whose fields corre- 
spond to the different semantic components (the store, the environment, action 
traces for processes, and so on) before and after the transition thus labeled is 
taken. The paper [47] defines a faithful representation of an MSOS specification 
S as a corresponding rewrite theory t(S), provided the MSOS rules in S are 
in a suitable normal form. Such MSOS rules do in fact have labels that include 
any desired semantic information, and can have equational side conditions. A se- 
mantic equivalence result similar to the above lemma holds between transitions 
in S and one-step rewrites in r(«S) [47]. This shows the MSOS specifications are 
faithfully represented by their rewriting logic translations. 

A different approach also subsumed by rewriting logic semantics is sometimes 
described as reduction semantics. It goes back to Berry and Boudol’s Chemical 
Abstract Machine (Cham) [4], and has been adopted to give semantics to dif- 
ferent concurrent calculi and programming languages (see [4,51] for two early 
references). Since the 1990 San Miniato Workshop on Concurrency, where both 
the Cham and rewriting logic were presented [23] , it has been clearly understood 
that these are two closely related formalisms, so that each Cham can be naturally 
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seen as a rewrite theory (see [41] Section 5.3.3, and [4]). In essence, a reduction 
semantics, either of the Cham type or with a different choice of basic primitives, 
can be naturally seen as a special type of rewrite theory 7 Z = (E, A , </>, R), where 
A consists of structural axioms, e.g., associativity and commutativity of multiset 
union for the Cham 10 , and R is typically a set of unconditional rewrite rules. The 
frozenness information </> is specified by giving explicit inference rules, stating 
which kind of congruence is permitted for each operator for rewriting purposes. 

Limitations of SOS similar to those pointed out in Section 1.1 were also 
clearly perceived by Berry and Boudol, so that the Cham is proposed not as 
a variant of SOS, but as an alternative semantic framework (see [4], Section 
2.3). Indeed, an important theme is overcoming the rigidity of syntax, forcing 
traditional SOS to express communication in a centralized, interleaving way, 
whereas the use of associativity and commutativity and the locality of rewrite 
rules allows a more natural expression of local concurrent interactions. On this 
point rewriting logic semantics and reduction semantics are in full agreement. 
Four further advantages added by rewriting logic semantics to overcome other 
limitations of SOS mentioned in Section 1.1 are: (i) the existence of a model- 
theoretic semantics having initial models, that smoothly integrates the model 
theory of algebraic semantics as a special case and serves as a basis for inductive 
and temporal logic reasoning; (ii) the more general use of equations not only 
as structural axioms A (e.g., AC of multiset union for the Cham) but also as 
semantic equations Eq that are Clrurch-Rosser modulo A, so that in general 
we have E = Eq U A; (iii) allowing conditional rewrite rules which permits a 
natural integration of SOS within rewriting logic; and (iv) the existence of high- 
performance implementations supporting both execution and formal analysis. 
This brings us to the last limitation mentioned in Section 1.1 for both equational 
semantics and SOS, namely modularity. 



5.3 Modularity 

Both equational semantics and SOS are notoriously unmodular. That is, when a 
new kind of feature is added to the existing formal specification of a language’s 
semantics, it is often necessary to introduce extensive redefinitions in the earlier 
specification. One would of course like to be able to define the semantics of each 
feature in a modular way once and for all, but this is easier said than done. 

Rewriting logic as such does not solve the modularity problem. After all, 
equational definitions remain untouched when embedded in rewriting logic, and 
SOS definitions, except for the technicality of restricting rewrites to one step in 
conditions, are represented by quite similar conditional rewrite rules. Therefore, 
if the specifications were unmodular beforehand, it is unreasonable to expect that 
they will magically become modular when viewed as rewrite theories. Something 
else is needed, namely a modular specification methodology. 

10 As pointed out in [41], the Cham’s heating and cooling rules and the airlock rule 
could also be seen as equations and could be made part of the set A. 
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In this regard, the already mentioned work of Mosses on MSOS [57,58,55] is 
very relevant and important, because it has given a simple and elegant solution 
to the SOS modularity problem. Stimulated by Mosses’ work, the first author, 
in joint work with Clrristiano Braga, has investigated a methodology to make 
rewriting logic definitions of programming languages modular. The results of this 
research are reported in [47], and case studies showing the usefulness of these 
modularity techniques for specific language extensions are presented in [10]. In 
particular, since equational logic is a sublogic of rewriting logic, the modular 
methodology proposed in [47] specializes in a straightforward way to a new 
modular specification methodology for algebraic semantics. The two key ideas 
in [47] are the systematic use of ACI matching to make semantic definitions 
impervious to the later addition of new semantic entities, and the systematic 
use of abstract interfaces to hide the internal representations of semantic entities 
(for example a store) so that such internal representations can be changed in a 
language extension without a need to redefine the earlier semantic rules. 

This methodology has influenced the specification style used in Section 3, 
even though the methodology in [47] is not followed literally. One limitation 
mentioned in [47] is the somewhat rigid style imposed by assuming configura- 
tions consisting of a program text and a record of semantic entities, which forces 
an interleaving semantics alien in spirit to rewriting logic’s true concurrency se- 
mantics. One can therefore regard the specification style illustrated in Section 3 
as a snapshot of our current steps towards a truly concurrent modular specifi- 
cation methodology, a topic that we hope to develop fully in the near future. 



6 Concluding Remarks 

We have introduced rewriting logic, have explained its proof theory and its model 
theoretic semantics, and have shown how it unifies both equational semantics 
and SOS within a common semantic framework. We have also explained how 
reduction semantics can be regarded as a special case of rewriting logic semantics. 
Furthermore, we have shown how rewriting logic semantic definitions written in 
a language like Maude can be used to get efficient program analysis tools, and 
have illustrated this by means of a substantial Caml-like language specification. 
The unification of equational semantics and SOS achieved this way combines the 
best features of these approaches and has the following advantages: 

— a rewrite theory 1Z has an initial model semantics given by Tn, and a proof- 
theoretic operational semantics given by rewrite proofs; furthermore, by the 
Completeness Theorem both semantics agree 

— the initial model Ttz provides the mathematical basis for formal reasoning 
and theorem proving in first- and higher-order inductive theorem proving 
and in temporal logic deduction 

— rewriting logic provides a crucial distinction between semantic equations 
E and semantic rules R, that is, a distinction between deterministic and 
concurrent computation not available in either equational semantics or SOS 
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— such a distinction is key not only conceptually, but also for efficiency reasons 
of drastically collapsing the state space 

— rewriting logic has a true concurrency semantics, more natural than an in- 
terleaving semantics when defining concurrent languages with features such 
as distribution, asynchrony, and mobility 

— when specified in languages like Maude, semantic definitions can be turned 
into efficient interpreters and program analysis tools for free 

— when developed according to appropriate methodological principles, rewrit- 
ing logic semantic definitions become modular and are easily extensible with- 
out any need for changes in earlier semantic rules. 

An important aspect of the rewriting logic semantics we propose is the flexi- 
bility of choosing the desired level of abstraction at will when giving semantic 
definitions. Such a level of abstraction may be different for different modeling 
and analysis purposes, and can be easily changed as explained below. The point 
is that in a rewrite theory (A, E, <f>, R ), rewriting with the rules R happens mod- 
ulo the equations in E. Therefore, the more semantic definitions we express as 
equations the more abstract our semantics becomes. Abstraction has important 
advantages for making search and model checking efficient, but changes what is 
observable in the model. In this sense, the Caml-like language specification in 
Section 3 is quite abstract; in fact, it has only three rewrite rules, with all other 
axioms given as equations. It is indeed possible to observe all global memory 
changes, since these are all expressed with rules, but some other aspects of the 
computation may not be observable at this level of abstraction. For example, 
nonterminating local sequential computations, such as a nonterminating func- 
tion call or while loop, will remain within the same equivalence class. This may 
even lead to starvation of other threads in an interpreter execution. Generally 
speaking, when observing a program’s computation in a more fine-grained way 
becomes important, this can be easily done by transforming some equations into 
rules. For example, one may wish to specify all potentially nonterminating con- 
structs with rules. The most fine-grained way possible is of course to transform 
all equations (except for structural axioms such as ACI) into rules. These trans- 
formations are easy to achieve, since they amount to very simple changes in 
the specification. In fact, one may wish to use different variants of a language’s 
specification, with certain semantic definitions specified as equations in one vari- 
ant and as rules in another, because each variant may provide the best level of 
abstraction for a different set of purposes. The moral of the story is precisely 
that rewriting logic’s distinction between equations and rules provides a useful 
” abstraction knob” by which we can fine tune a language’s specification to best 
handle specific formal analysis purposes. There are a number of open research 
directions suggested by these ideas: 

— for model checking scalability purposes it will be important to add techniques 
such as partial order reduction and predicate abstraction; 

— besides search and model checking, using rewriting logic semantic defini- 
tions as a basis for theorem proving of program properties is also a direc- 
tion that should be vigorously pursued; this semantics-based method is well- 
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understood for equational semantics [30] and has been used quite successfully 
by other researchers in the analysis of Java programs using both PVS [37] 
and ACL2 language specifications [52] ; in the context of Maude, its ITP tool 
[20] has been already used to certify state estimation programs automatically 
synthesized from formal specifications [66,65] and also to verify sequential 
programs based on a language’s semantic definition [46] . 

— rewriting is a simple and general model of computation, and rewriting-based 
semantic definitions already run quite fast on a language like Maude which 
is itself a semi-compiled interpreter; this suggests that, given an appropriate 
compilation technology for rewriting, one could directly compile program- 
ming languages into a rewriting abstract machine ; a key issue in this regard 
is compiling conditional equations into unconditional ones [36,86]; 

— more experience is also needed in specifying different programming languages 
as rewrite theories; besides the work in the JavaFAN project, other language 
specification projects are currently underway at UIUC and at UFF Brazil, 
including Scheme, ML, OCaml, Haskell, and Pascal; 

— more research is also needed on modularity issues; a key question is how to 
generalize to a true concurrency setting the modular methodology developed 
in [47]; an important goal would the development of a modular library of 
rewriting logic definitions of programming language features that could be 
used to easily define the semantics of a language by putting together different 
modules in the library. 



There is, finally, what we perceive as a promising new direction in teaching pro- 
gramming languages, namely the development of courses and teaching material 
that use executable rewriting logic specifications as a key way to explain the pre- 
cise meaning of each programming language feature. This can allow students to 
experiment with programming language concepts by developing executable for- 
mal specifications for them. We have already taught several graduate course at 
UIUC along these lines with very encouraging results, including a programming 
language design course and a formal verification course [64,46] . 
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Abstract. Redundancy criteria are an important means to restrict the 
search space of a theorem prover. In the presence of associative and com- 
mutative (AC) operators saturating provers soon generate many similar 
equations, most of them are redundant. We present a new criterion that 
is specialized for the AC-case and leads to significant speed-ups. The 
criterion uses a new sufficient test for the unsatisfiability of ordering 
constraints. The test runs in polynomial time, is easy to implement, and 
covers reduction orderings in a generic way, with possible extensions for 
LPO and KBO. 

1 Introduction 

Redundancy criteria are a means to extend and refine existing logical calculi 
in a modular way. This allows one to specialize the calculi to domains where 
redundancy can be suitably characterized. Compared to working modulo some 
theory redundancy criteria have the advantage that extending an existing prover 
does not affect core algorithms or data structures. 

In previous work [AHL03] we have extended the unfailing completion ap- 
proach [HR87,BDP89] by criteria that are based on ground joinability. This is 
especially rewarding in the presence of associative and commutative (AC) op- 
erators, for nearly all equations with AC-equal sides can be deleted. We have 
also investigated the use of more generic ground joinability tests. The first one 
is based on [MN90], which considers all possible ordering relations between vari- 
ables. The second test uses confluence trees, which were originally introduced to 
decide the confluence of ordered rewrite systems [CNNR03]. Experiments have 
shown that both tests take effect especially when AC-operators are present. 

However, the use of the generic tests is hampered by three effects: They tend 
to perform many case distinctions, much work is duplicated between independent 
tests of different equations, and the tests check for complete joinability proofs 
only, which make them fail when some necessary equation is not yet available. 
This means that we will take only part of the possible benefit even if we repeat 
the tests. The reason is that we perform too much work at once (cf. Sect. 2). 

The main idea of the present paper is to replace the test on ground joinability 
of s = t by a test on ground reducibility. In order to guarantee the existence of a 
smaller proof for s = t we add new equations, if necessary. Of course, this is only 
a win if their number is small enough. As ground reducibility is undecidable for 
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ordered rewriting [CNNR03], we have to concentrate on special cases and use 
approximations. For the AC-case ground reducibility can be nicely described by 
ordering constraints and the set of overlaps is small in size (cf. Sect. 3). 

Testing ordering constraints for satisfiability is an NP-complete problem for 
the lexicographic path ordering (LPO) and the Knuth-Bendix ordering (KBO) 
[Nie93,KV01], the orderings that are used most frequently for equational theorem 
proving. As we aim for a practical redundancy criterion, we approximate again 
and use a sufficient test for their unsatisfiability. In Sect. 4 we present a test, 
which is easy to implement and runs in polynomial time. It covers many orderings 
in a generic way and can be extended for specific orderings, such as LPO and 
KBO. In Sect. 5 experiments demonstrate that the unsatisfiability test can cope 
well with the ordering constraints produced by the criterion. Overall, the new 
criterion leads to remarkable speed-ups, especially for challenging proof tasks. 

This work is embedded in the rich tradition of completion based theorem 
proving. It has early been noticed that AC-operators deserve special treatment. 
Especially working modulo AC, or more generally a theory, has gotten much 
attention. For space reasons, we refer to the recent overviews [DP01,NR01]. 
Another work that uses constraints for the AC-case is [PZ97]. 

2 Preliminaries 

We use standard concepts from term rewriting [DP01] and equational theorem 
proving [NR01]. The set T contains function symbols (or operators). With Tj^c 
we denote the subset of AC-operators. Let + be an AC-operator. We will fre- 
quently use A , C, and C to refer to associativity (x + y) + z — > x + (y + z), com- 
mutativity x + y = y + x and extended commutativity x + (y + z) = y + (x + z) . 
With T e we denote an arbitrary extension of T . As we use an extended signa- 
ture semantics, we use Term(^ re ) as set of ground terms. With >- we denote a 
reduction ordering that is total on ground terms. We write GSub(ti, . . . , t n ) for 
the set of all ground substitutions mapping the variables of terms 1 1 , . . . , t n into 
Term(iF e ). We write 0(t) for the set of positions in term t. An overlap of equa- 
tion u = v into equation s = t is defined as follows: Let p £ O(s) be a nonvariable 
position in s and a = mgu(u, s| p ) the most general unifier of u and s| p . Then 
cr(s)[fj(u)]p = a(t) is an overlap if cr(v) ^ <j(u). It is a critical pair if additionally 
a(t ) ^ (j(s). Let OL (s = t,E) be the set of overlaps of elements of E into s = t. 

The ordering constraints we use are built of atomic constraints of the form 
s = t, s > t, or s > t, which are satisfied by a substitution a iff a(s) = cr(t), 
cr(s) >- <j(t), or cr(s ) a (t), respectively. A conjunction C\ A . . . A C n is 

satisfied by er iff all Ci are satisfied by cr, a disjunction C\ V . . . V C n is satisfied 
by cr iff at least one Ci is satisfied. A constraint C is satisfiable with respect to 

if there is at least one ground substitution that satisfies C with respect to >-. 
Otherwise, C is unsatisfiable. We use T and T to denote the trivially satisfiable 
(resp. unsatisfiable) constraint. There is no need to use negation, as >- is total 
on ground terms. 

Unfailing completion [HR87,BDP89] is a well-known method for (unit) equa- 
tional theorem proving. We use an inference system that is based on [BDP89], 
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which allows us to keep redundant equations for simplification [AHL03]. This is 
beneficial in practice, as it strengthens the simplification relation. For the pur- 
pose of this work it suffices to consider two sets: R C >- stores the rules and 
E contains the unoriented equations. Additionally to rewriting with i?, ordered 
rewriting uses the set E y of orientable instances of equations of E for rewrite 
steps. We denote by R(E) the set R U E y . 

The completeness of the approach is shown with the technique of proof 
transformations, with a proof ordering >—p as main ingredient. For all proofs P 
that are modified by some operation on (R, E) we have to ensure that there 
is some proof P' with P )ev P' . A ground proof for s = t is of the form 
P — (to, 01 , h, . . ,g n ,t n ), where ti £ Term(iF e ), t o = s, and t n = t. For each 
proof step U-i gt ti the justification Qi records the direction of the rewrite step, 
its position p, and the used equation u = v and substitution er. We define the 
complexity c(s gt) of a proof step by 



c(s gt) = 



' ({«}, s| P , (l, r) ,t) if s — t with l — > r at p € O(s) 

({<}, t\ p , (l, r), s) if s £- r t with l — > r at p € Oft) 

< ({s}, s| p , (u, v),t) if s ~^e>- t with afu) a(v) at p € O(s) 

({f}, t\ p , (u, v), s ) if s 4 — E y t with afu) a(v) at p £ Oft) 

({s,f}, — , — , — ) if s £^e t is an unoriented step 



On these tuples we define the ordering >- t as the lexicographic combination 
>,>-). Here is the multiset extension of the fixed reduction ordering 
>-, >- st is the subterm ordering, and > is an Noetherian ordering on pairs of 
terms that we will explain in the following paragraph. The complexity c(P) of 
proof P is the multiset of complexities of the proof steps that P contains. This 
allows us to define the following ordering on proofs: Pi >~p P 2 iff c(Pi) c(P 2 )> 
where is the multiset extension of y t . 

To define the ordering >, we use the following function P to map term pairs 
to tuples. We have P(s,t) = (|s|,M(s),s,n), where M(s) gives the multiset of 
function symbols in s, and n indicates whether the term pair is a rule s — > t in R 
(then n = 1), or an equation s = t in E (then n = 3). For a fixed number of “dis- 
tinguished” equations, such as C or C , we can choose n = 2. On these tuples we 
define the ordering \>& as the lexicographic combination = (>n, D, t>, >n)j 
where E> denotes the encompassment ordering. We then define \> by (s, t) t> (u, v) 
iff P(s,t) P(u,v). 

The advantage of this admittedly complex and technical proof ordering is 
that it extends the proof ordering of [BDP89] and makes therefore more proofs 
comparable. This leads to more redundant equations. Ordering [> is used to 
guard e. g. the interreduction of left-hand sides of rules. If l = r reduces s — > t 
at top-level, we require (s,t) > (l,r). In an implementation, program invariants 
often imply the > relation. We can then skip explicit tests. 

Our notion of redundancy is based on the proof ordering: an equation is re- 
dundant if every ground instance has a smaller proof. Unlike critical pair criteria 
it is not limited to critical pairs. 

Definition 1. An equation s=t is redundant with respect to R(E), which we 
write as s = t >--p R(E), if for any a £ GSub(s,i) either a(s) = aft) or there 
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is a ground proof P for a(s) = a(t) in ( R,E ) with a(s) — aft) y-p P if 
a{s) y aft), or a(s ) <-{ s = t yy a(t) y v P if aft) y a(s). 

In previous work [AHL03], we used a strengthened form of ground joinability 
as redundancy criterion. If an equation s = t is ground joinable in R(E), then 
there is for each ground instance a joinability proof in R{E). To meet the re- 
quirements for redundancy one has to be careful with the first rewrite step of 
the larger side of the ground instance. If it occurs on the top-level position, the 
used rule or equation has to be strictly >-smaller than s = t. 

For ordered rewriting ground joinability is undecidable, as even joinability of 
two ground terms is undecidable [Loc04]. Therefore, sufficient tests are required, 
which may be specific to certain theories or generic in nature. A simple, yet 
powerful test is based on AC-equality. An equation s = t that is not contained in 
ACC is redundant with respect to ACC if s =ac t. The two generic tests that we 
implemented are stronger, but for the price of much higher computational costs. 
The first considers all ordering relations between variables [MN90], which leads 
to a number of cases that is exponential in the number of variables. Therefore, 
we restrict the test to equations with at most 5 variables. The second is based on 
confluence trees [CNNR03] . Here, case distinctions are introduced by considering 
possible ordered rewrite steps. As full ordering constraints describe the different 
cases, the method is more powerful than the first, but needs a constraint solver. 
Hence, it is even more expensive than the first test. Both tests show mainly 
success when AC-operators are present. 

In both generic tests much work is duplicated between independent tests 
of different equations: Consider two equations that differ only in two subterms 
s and t that are exchanged by commutativity. As both tests have to consider 
the cases when s is greater than t and vice versa, it is likely that both tests 
exchange in some subcases s and t and so perform (nearly) identical work twice. 
Furthermore, the tests check for complete joinability proofs only. They will fail 
if an equation that is necessary for some ground instance is not yet available. 
However, the completion process does not enumerate the equations in the order 
that is most suitable for the tests and our attempts to develop corresponding 
strategies failed. This means that we will take only part of the possible benefit 
even if we repeat the tests. To sum up, we perform too much work at once for 
testing redundancy during completion. This is not surprising, as the generic tests 
were originally designed to check properties of static rewrite systems. 

3 Ground Reducibility as Redundancy Criterion 

The main idea to reduce the work of redundancy tests is to use ground reducibil- 
ity, which is more localized than ground joinability. Hence, we no longer search 
for complete joinability proofs for each ground instance, but focus on the first 
step instead. To complete the proofs, we add the necessary overlaps, which in 
turn make the original equation redundant. This is only a win if the overlaps do 
not outnumber the critical pairs. 

Definition 2. An equation s = t is ground reducible with respect to R(E) if for 
each a € GSub(s,f) at least one of a(s) or aft) is reducible by R(E). 
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For ordered rewriting ground reducibility is undecidable in general [CNNR03], 
therefore we have to use sufficient tests. We can distinguish three kinds of rewrite 
steps, which differ in the position at which they occur. If the position is a nonvari- 
able position in the uninstantiated term, the step happens either at the skeleton, 
that is, all function symbols of the left-hand side of the rewriting equation match 
function symbols in the term, or it happens at the fringe, such that a part of 
the function symbols matches functions symbols in the substitution part. Fur- 
thermore, the step may happen completely in the substitution part, which means 
that the substitution itself is reducible. It is not necessary for theorem proving to 
consider such substitutions. Regarding the two other kinds of steps, if cr(s) = aft) 
is reduced with l = r to si = t\, then there is some overlap u = v from l = r into 
s = t such that si = t\ is an instance of u = v. 

To get smaller proofs rewrite steps at top-level have to be performed with 
>-smaller equations. This explains the additional condition in the following the- 
orem, which provides the foundation of our work. 

Theorem 1. Let s = t be ground reducible with respect to R(E) such that all 
top-level reductions of maximal sides of ground instances are performed with 
equations in RUE that are strictly >- smaller than s = t. Let S = OL(s = t, RUE) . 
Then s = t >--p R(E U S) . 

Proof. Let a £ GSub(s,t) be P(P)-irreducible. The case a(s) = a(t.) is trivial. 
Consider a(s) >- a(t ). Let Po be the proof cr(s) — = a(t). As s = t is ground 

reducible, <r(s) or a(t) are reducible by R(E). First, assume a(s) reduces to si 
at position p with l = r in R(E). Let Pi be the proof a(s) -Ue(e) Si U-s a(t). 
The first step is smaller than the proof step in Pq: If it does not occur on 
top-level, its complexity is smaller in the second component, otherwise in the 
third component, as then ( s,t ) > (Z,r) by assumption. The second step of P\ 
is smaller than the step in Po by the first component of the complexity as both 
aft) and si are smaller than er(s). Therefore, Po >~v Pi- Second, consider the 
case that a(t) reduces to t\ by R(E). Then, o-(s) >~ aft) >- t\. Let P 2 be the 
proof a(s) — >s ti ^ — r( e) u(t). The first step of P 2 is smaller than the proof step 
in P 0 by the last component of its complexity, as a(t) >- t\. The second step is 
smaller by the first component of the complexity, which implies Po >~v P 2 . 

The case a(t) >- a(s) is similar to the case cr(s) >~ a(t). □ 

The patterns of the proofs resemble their counterparts used for justifying 
interreduction. There, we can also distinguish between simplification of larger 
and smaller sides. Considering the smaller sides enables more redundancy proofs, 
at the cost of overlapping into smaller sides. This is unproblematic as long as 
the number of overlaps is rather small, which holds true for the special case we 
consider next. 



3.1 The AC-Case 

An analysis of the successful ground joinability tests with the method of [MN90] 
reveals that the constructed proofs often start with an ordered reduction step 
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with C or C. Hence, we concentrate on ground reducibility with respect to 
ACC . The simplification of ground terms with ACC resembles bubble-sort: First, 
rewrite steps with A bracket the AC-subterms to the right. Then, rewrite steps 
with CC exchange adjacent subterms such that smaller terms come to the left. 

Possible skeleton steps differ for the cases A and CC . As A is a linear rule, 
skeleton steps with A imply that the equation is already A-reducible, which 
is easy to decide. For rewrite steps with CC , however, the ordering relation 
between the (instantiated) subterms is decisive. Consider for example equation 
x + y = g(y) + (2 + x ). An instance cr is CC'-reducible, if cr{x) >- cr(y), u(g(y)) >- 
a(z + x), a(z) >- cr(x), or cr(g(y)) >~ cr(z). Therefore, a CC'-irreducible ground 
instance must satisfy the constraint y>xAz+x> g(y) A x> z A z> g(y). As 
this constraint is unsatisfiable, we know that the equation is ground reducible. 
Note that we can optimize the constraint. For positions where both C and C are 
applicable, it suffices to consider C' only, as it leads to a stronger constraint. In 
the example 2 > g(y) implies z + x> g(y), hence we can omit the latter. 

The function T constructs an ordering constraint for a term t such that 
the satisfying substitutions describe ground instances that are CC'-irreducible at 
skeleton positions. It is defined as follows: 



r(x) 

,tn )) 

r(ti + [t\ + £ 2 )) 
r(ti + (t2 + £ 3 )) 
r(ti + ti) 

r{ti + ^ 2 ) 



T 

r(h) A ... A r{t n ) 
r{t\ + ^2) 

t- 2 >t\ a r(ti) a rfo + ^3) 
r(ti) 

t2 > ti a r(t\) a r(t. 2) 



if ft Tac 
if + G T ac 

if A Cl J~ \ac and t\ ^ t2 
if + € Tac and top(ti) ^ + 
if + £ Ci ti ^2, and 
top(t 2 ) ^ + 



Lemma 1 . If T(t) is unsatisfiable, then t is CC -ground reducible. 

Proof. Let a £ GSub(t) and T(t) = ti > t[ A ... A t n >t' n . As r(t ) is unsat- 
isfiable, substitution cr satisfies the complement of -T(f), which is equivalent to 
the constraint > fi V . . . V t' n > t n . Therefore, there is at least one i such that 
o-(f') >- a (ti), which implies that C or C' are applicable at the corresponding 
position in a(t). □ 

Note that function T does not capture AC-ground reducibility in a complete 
way, as it considers only skeleton steps. First, there are two kinds of fringe steps. 
Situations such as x + s and a(x) = s 1 + S2 lead to reduction steps with A. 
Reduction steps with C are possible for subterms of the form s + x if cr(x) = 
si + S2 and a(s ) >~ si. Both situations can be described by ordering constraints. 
But these need (local) quantification, which means that we leave (for LPO) 
the decidable fragment [CT 97 ] . Furthermore, there are examples, such that each 
ground instance that is not skeleton reducible has a reducible substitution. Here, 
irreducibility constraints are appropriate. Deciding AC-ground reducibility with 
this approach requires the extension of decision procedures for the satisfiability 
of ordering constraints to cope with the additionally needed constraints. This is 
a topic of future research. 




A Redundancy Criterion Based on Ground Reducibility 



51 



In this work, our main focus is on a practical criterion. For that, we use a 
test for unsatisfiability of constraints that is only sufficient. Hence, we consider 
only skeleton reductions. In practice we can expect the input of the redundancy 
test in A-normal form. We can therefore concentrate on the CC'-skeleton case. 
We write T(s,f) as shorthand notation for T(s) A r(t). Combining the previous 
two results and considering that C and C' always fulfill the [> condition we get: 

Corollary 1. Let s — t be an equation different from C and C such that r(s,t) 
is unsatisfiable. Let S = OL(s = t , CC) . Then s = t >~p CC U S. □ 

The set S is very easy to compute as only subterms are exchanged and even 
unification is unnecessary. The size of this set is linear in the number of AC- 
operators in s = t. This means a huge improvement in practice, as only say 5 or 
10 equations are constructed. For challenging proof tasks the typical size of the 
set of critical pairs with an equation is in the order of several thousand equations. 



3.2 A Refined Criterion for the AC-Case 

Consider equation x + (y + x) = a. It can not be shown redundant by the method 
of the previous section, because there are irreducible ground instances. These 
are characterized by cr(x) = a(y), that is, they unify nonidentical subterms. 1 
Nevertheless, the equation seems to be redundant, as both CC'-overlaps, which 
are x + (x + y) = a and y + (x + x) = a, cover these instances, and both overlaps 
have irreducible ground instances that do not unify subterms. It is easy to exclude 
such unifying solutions by a modified constraint construction. Function T is 
identical to T, except that it uses > constraints instead of > constraints. 

However, the proof ordering of Sect. 2 does not justify this approach, as none 
of the two overlaps is >-smaller than the original equation. This is not without 
reason, as the following example shows. Let >~ be the LPO for h >? g >? f and 
consider f(h(x) + g(h(y)),h(y) + g(h(x)))= x + y. For this equation the CC'- 
irreducible ground instances unify x and y, as for >- the constraint g(h(y)) > 
h(x) A g(h( x)) > h(y) A y > x is equivalent to h(y) > h(x) A h(x) > h(y) Ay>x, 
which implies x = y. However, there is no CC'-overlap that covers these instances 
and that has irreducible instances that do not unify x and y. 

To retain the original idea to use T we have therefore to use an additional 
guard in the following predicate. Its definition is rather ad-hoc and technical, but 
the use of T is rewarding in practice. Let <SUc(s = f) be given by SAc(s = t) = 
{s' =t’ | s = AC s' and t =ac f}. 

Definition 3. U(s,t) = 1 if s = t not in CC , T(s,t) is satisfiable, T(s,t) is 
unsatisfiable, and for all a G GSub(s,t) that satisfy T(s,t) there is some s' = t' 
in Sac(s = f) such that r(s',t’) is satisfiable and a(s) = aft) is an instance of 
s' = t'. Otherwise, U(s,t) =0. 

1 It is tempting to replace the equation by x + (x + x) = a in this situation. But 
this would endanger completeness as it would interact badly with interreductions. 
Formally, this is reflected by a violation of the proof ordering for such kind of steps. 
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The idea behind that definition is that proof steps using an equation s = t 
with U(s,t) = 1 can be replaced by proof steps using an equation s' = t' with 
U(s',t r ) = 0. Equations with U(s,t ) = 1 are therefore redundant. 

Lemma 2. Let a{s)=a{t) be a CC -irreducible ground instance of s = t. Then 
there is some s' = t' in S A c(s = t) such that a(s) = a(t) is an instance of s' = If 
and U(s', if) = 0. 

Proof. The case U(s,t) = 0 is trivial. Consider U(s,t ) = 1. Then there exists by 
definition of U some s' = t' in S A c( s = t) such that a(s) = a(t) is an instance of 
s' = tf and f(s',t’) is satisfiable. Therefore, U(s',t') = 0. □ 

For the example from the beginning of this section U evaluates to 1 for the orig- 
inal equation and to 0 for both overlaps, because their T -constraints are satisfi- 
able. With this predicate we modify the proof ordering by modifying ordering > 
on term pairs. We extend function T to T' with T'(s, t) = (|s|, M(s), U(s, t),s , n) 
and t>i pi is the lexicographic combination t>^/ = (>n, D, >n, t>, >n)- 

Lemma 3. Let s = t be an equation with U(s,t) = 1. Then for each proof step 
P a with cr(s) aft) there is some proof P in CC' U S A c(s = t) such that 

P a >--p P and P uses only equations u = v with U{u, v) = 0. Therefore, s = t >-p 
CC'US AC (s = t). 

Proof. The case a(s) = aft) is trivial. Consider a(s) >- a(t), which means that 
P a is a(s) — >q s = t }^ a(t). Let S = S A c(s = t). Let P be the proof of a (s) — L ^CC>- 
si Os t\ a (t)- Because si = t-\ is CC'-irreducible, there is some s' = t! in 

S such that U(s',t') = 0 and Si=t\ is a ground instance of s' = t'. The other 
steps use C and C , for which U evaluates to 0. To show P a P we have to 
consider two cases for the first step. If a(s) >- Si then a(s) gets reduced. The 
complexity of the first step is therefore smaller than the complexity of the step 
in P y , either by the second component (if the rewrite step is not top-level), or 
by the third component. If a(s) = Si the first step is performed top-level with 
s' = t', so we have to consider the third component of the complexity. We have 
(s,t) > ( s',t ') as s = s' and U(s,t) > U(s',t'). The remaining steps are smaller 
by the first component, as cr(s) is the maximal term in P. 

The case a(t) >- a(s) is similar. □ 

This means that we can refine the criterion to detect additionally equations 
s = t with U(s,t) = 1. The conditions of U(s,t) seem more restrictive than they 
are, as in practice we frequently encounter equations with “twisted” variables, 
such as the example from the beginning of this section, for which U(s,t) = 1 
can be verified easily. 



4 A Test for the Unsatisfiability of Ordering Constraints 

Deciding the satisfiability of ordering constraints is an NP-complete problem 
for both LPO [Nie93] and KBO [KV01]. The decision procedure for LPO con- 
straints devised in [NR02] performs in our experience well in practice [AL01], 
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but its implementation is not an easy task. To our knowledge there exists no 
implementation of a decision procedure for KBO constraints 2 . Our aim is a suf- 
ficient test for unsatisfiability that is reasonably precise and efficient, easy to 
implement, and covers both LPO and KBO. Relying on an approximation is un- 
problematic for our purpose: Some redundant equations may remain undetected, 
but the correctness of the method is unaffected. 

The input to our test is a conjunction C of atomic constraints. The main idea 
is to saturate C by using properties of the ordering to derive new constraints 
from existing ones. The properties are reflected by corresponding saturation 
rules. Recall that >- is a total reduction ordering on ground terms. Hence, it 
is e. g. irreflexive, transitive, and monotonic. For example, we can derive from 
x > y A g(y) > g(z) A g(z) > g(x) by the monotonicity rule the new constraint 
g(x) > g(y), then by the transitivity rule g(z ) >g(y) and g(y) >g(y). This atomic 
constraint is clearly unsatisfiable, so we know that the original constraint is 
unsatisfiable as well. 

Our method is inspired by the test of Johann and Socher-Ambrosius [JSA94], 
which decides for a constraint C whether there exists a simplification ordering >- 
and a ground substitution a such that a satisfies C with respect to >-. However, 
our application is different, so we can strengthen the test and use the ordering 
>-, which is known and fixed. Furthermore, it is possible for us to enrich the 
set of rules for the generic test by properties that are specific for LPO or KBO 
respectively. This includes the use of precedence >yr or weight function ip. 

The constraints generated by the redundancy criteria have many subterms 
in common. So it is effective to identify them in a preprocessing phase, which 
furthermore simplifies the main saturation process. We describe the preprocess- 
ing in an abstract way by introducing a set K = {ci, C 2 , . . . } of new constants 
to represent the different subterms in the original problem. This formulation is 
inspired by modern treatments of congruence closure algorithms [Kap97]. 

We call a term flat, if it is a variable x or of the form /(ci, . . . , c„), that 
is, an operator applied to new constants only. Let £ be a conjunction of atomic 
constraints and X) a rewrite system, which consists of rules t — > c where t is a flat 
term and c £ K. Initially, X) is empty and £ contains the original constraint C 
we want to test for unsatisfiability. The following two transformation rules assign 
new constants as names to subterms and propagate them through the problem. 

1. Naming: (£[t],X>) => (£[c],X) U {t— »c}) if t is a flat term in D-normal 

form and c a new constant that is not present in £ or X). 

2. Propagation: (£[t],X>) => (£[c],X>) if t-t-c is in £>. 

To apply the transformation rules, we perform a leftmost-innermost traversal 
of the terms. For example, consider the constraint f(f(x)) > g(f(x)). The first 
step is to give x the name C\ and to record this by adding the rule x — > C\ to X) . 
Similar, we add the rules f{ci) — f c 2 and /(c 2 ) —> C3. Next, we traverse the second 
term. We first propagate already introduced names and replace x by C\ and f(cf) 
by c 2 . Then we add for the remaining term the rule g(c 2 ) — > C4. The final form of 
the constraint is C3>C4. It is easy to see that this transformation process performs 

2 This is confirmed by Konstantin Korovin (personal e-mail, December 2003). 
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a number of steps that is linear in the size of C. After this transformation each 
subterm t of C is uniquely represented by a new constant c. We use Xj)(c) to 
denote the subterm that c represents. In the example: Tj)(c 4) = g(f(x)). With 
this notation we adapt the definition that a ground substitution er satisfies a 
constraint C with respect to an ordering >- to the new representation (£, 2)): a 
satisfies the constraint c>d (resp. c>d or c=c') if a(Txi{c)) y a{T^{d)) (resp. 
ct(T s (c)) ^ ct(T s (c')) or (j(T%) (c)) = cr(T s ((/))). 

Lemma 4. Let (£, 2)) be the result of preprocessing C. Then a satisfies C with 
respect to y if and only if a satisfies (£, D) with respect to y. The transforma- 
tion needs a number of steps that is linear in the size of C . □ 

After this preprocessing we start the saturation process. This is based on 
the following saturation rules, which are suitable for all ground-total reduction 
orderings. We assume that a rule is only performed if the derived constraint is 
new to £. As equality constraints are symmetric, we do not distinguish c = d 
and d = c: we assume c = d to be in 21 iff d = c is in 21. Furthermore, we assume 
that 21 contains for each constant c the constraint c—c. This does not affect the 
set of solutions and allows us to simplify conditions such as “either 21 contains 
Ci = C2, or ci = C2”. Some rules use an ordering □ on constraint symbols. We 
have >□>□=. 

1. Ordering: (21,2)) => (£ U {c > c'},2>) if T® (c) >- T& (d) . 

2. Transitivity: (21,2)) => (21 U {ci £?C3},2)) if 21 contains c\ 0\ C2 and 

Ci 02 C3, and Q = max D {Pi, Q 2 } ■ 

3. Monotonicity: (21,2)) =4> (21 U {c0d},D) if 2) contains the rules 

/(ci, . . . , c n ) — >■ c and f(d 1 ,...,d n )—>d, 21 contains CiQid i for all i = 
1 , . . . , n, and 0 = max^jw \ i = 1 , . . . ,n} . 

4. Decomposition: (21,2)) => (21 U (c* = c'},2)) if 2) contains the rules 

/(ci, . . . , c n ) — > c and f(d 1 , . . . , d n ) — > d, and 21 contains c = d . 

5. Context: (21, 2)) => (21 U (cj 0d t }, 2)) if 2) contains the two rules 

/(ci,... ,c n )— >c and f(d 1 ,... ,d n )—td, £ contains cQd with Q G {>,>}, 
and £ contains Cj = c'- for j = 1 , . . . , n with j i ■ 

6 . Strengthening: (£, 2>) ==> (£U (c > c'},2)) if £ contains c > d and 

Tj, (c) is not unifiable with Tx> (d) . 

7. Cycle: (£, 2)) => (£U (c = c'}, 2)) if £ contains c > d and d > c . 

8 . Absorption: (£u {c>d,c0d},D) (£U {cgd},®) if 0 e 

{>,=}• 

9. Clash: (£U (c= c'}, 2)) => (_L, 2)) if £ contains c — d and T s (c) is 

not unifiable with Tj) ( d ) . 

10. Bottom: (£U{c>c},2>) => (_L, 23) . 

Note, that the saturation rules do not introduce new terms (i. e. , constants), 
they merely add relations between existing ones. Applying substitutions as in 
[JSA94] can lead to an exponential growth of problem size. 

Lemma 5. Let >- be a reduction ordering that is total on ground terms. Let 
(£, 2 )) => (£',2)) with one of the saturation rules. If a satisfies (£, 2)) with 
respect to y, then a satisfies (£',2>) with respect to y. 
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Proof. This is an easy consequence of properties concerning >- and the satisfi- 
ability of constraints. Note that Context relies on >- being total on ground 
terms. □ 

The implementation of our method is based on three tables. The first one 
represents D and offers for each c the access to rule /(ci, ... , c n ) — > c and directly 
to Tj)(c). Furthermore, it provides a function parent (c,i ), which gives for c all 
constants c' that have c as their <-tli subterm. This is convenient for some of the 
more complicated rules. After the first phase of the algorithm, in which we build 
up £>, the set of constants is fixed, say to {ci, . . . , cjv}. Then we can allocate a 
quadratic table for £ with N x N entries. The entries £[c,,Cj] are set to =, for 
the other entries we try to apply rule Ordering. If this is done in a bottom-up 
way, the initialization of £ can be performed in 0(N 2 ) time, both for KBO and 
LPO. Then we insert the original constraints into £ and start the saturation 
with regard to the remaining rules. 

In the third table, which we call £, we add for each modification of £ an 
entry with the old value, the new value, and the applied rule together with 
justifications. The size of £ is 2 N 2 in the worst case, as for each entry in £ at 
most two insertions can occur (first >, then either > or =). Table £ provides 
several functionalities in a convenient way. First, with a simple index we can 
keep track for which constraints we already have applied all saturation rules, 
and for which this has to be done. Second, if one of the rules Bottom or Clash 
applies, we can extract from £ a detailed justification why the original constraint 
is unsatisfiable. This is helpful not only for debugging purposes, but also for 
determining the subset of the atomic constraints that leads to unsatisfiability. 
Finally, £ facilitates an undo-mechanism. This is interesting, if we want to extend 
the constraint incrementally, and later retract such additions. With table £ we 
can do this in a stack-like manner, which is sufficient for example for the use in 
confluence trees. 

Theorem 2. The algorithm based on the transformation and saturation rides is 
correct: If it derives (_L,S3), then the original constraint is unsatisfiable. It needs 
polynomial space and runs in polynomial time in the size of the input. 

Proof. By Lemma 4 and Lemma 5 and induction on the number of saturation 
steps the algorithm preserves satisfiability. Considering time requirements note 
that for a given atomic constraint cB c' a fixed number of rules is tested for ap- 
plicability. These need either constant time (Cycle, Absorption, Bottom), 
have a runtime that is bound by the maximal arity (Decomposition, Con- 
text), or have a worst-case complexity that either is linear in N (Transitivity, 
Strengthening, Clash) or is quadratic in N (Monotonicity). As there are 
considered maximally 2 N 2 atomic constraints, we achieve a polynomial com- 
plexity for the whole test. □ 

4.1 Extensions for Particular Orderings 

As mentioned in the introduction, two orderings are most frequently used in 
practice, namely LPO and KBO. For LPO we have the following additional 
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rules, which reflect closely its definition (the third case of the definition is already 
covered by a combination of generic saturation rules): 

1. Beta: ((£,2)) => (21 U {c > c'}, 2>) if 2) contains the two rules 

/(...)—► c and g(c\ , . . . , c(J — ► c', 21 contains c > c[ for i = 1, . . . , n, and 
/ 9- 

2. Gamma: ((£,2)) => ((£U {c > (/},2)) if 2) contains /(ci,... , c„) — > c 

and /(ci, . . . , c'J — >• c', there is some i with 1 < i < n such that 21 contains 
Ci > c'i and contains Cj Qj c' with Qj G {>, =} for all j = 1, . . . , i — 1 and 
contains c > c' k for all k = i + 1, . . . , n . 



Lemma 6. Let >- be a ground-total LPO for precedence >p. Let ((£, 2)) => 
(<£', 2>) with Beta or Gamma. If a satisfies (<£, 2)) with respect to y, t/ien cr 
satisfies (21', 2)) with respect to y. □ 

The KBO is parameterized by a weight function p and a precedence >^r. As 
p establishes a homomorphism from terms to the naturals, we can analyze the 
effect of applying a substitution to the weights of the resulting terms with the 
help of the following function </>: 

4>(x) = x 

<t>(f(ti,---,t n ) = <p(f) + <i>(ti) + ... + <i>{t n ) 

For example, if (f>(t) = 4 + 2- x, then we know that ip(a(t)) = 4 + 2 • p(a(x)). The 
function <f> establishes a natural mapping from constraints to linear Dioplrantine 
(in-)equations. Constraints s > t and s > t are mapped to — <f>(t) > 0, and 
constraints s = t are mapped to <j>(s) — (j>{t) = 0. Hurd’s sufficient test for KBO 
constraints uses basically this scheme [Hur03] . The decision procedure of Korovin 
and Voronkov [KV01] is based on a more elaborate translation. 

One of our main goals is to keep the test polynomial, and solving linear 
Dioplrantine equations is well-known to be NP-complete. Therefore, we use </> 
only for local tests in the following rules. Let { X\ , ... ,x n } be the variables of 
s and t, <f>(s) = ao + (C ogXi and <p(t) = /?o + Pi x i- We write <j>(s) > f>(t) if 
a, > j3i for i = 1, . . . ,n and «o + a il L — A) + S where p is the weight of 
the smallest term. 

1. KBO-DOWN: (<£, 2)) => (21 U {cj > c'}, 2)) if 2) contains the two rules 

/(ci,... ,c„)->c and /(ci,... ,d n )—>d, € contains cQd with Q G {>,>}, 
1 < i < n, (£ contains Cj = c' for all j < i, and <j>(Tx>(c)) = (/>(Tx)(c , )) . 

2. KBO-UP: (61,2)) =>■ (<£ U {c > c'}, 2)) if 2) contains /(ci, ..., c n ) — > c 

and /(ci, . . . , c'J — > c', there is some i with 1 < * < n such that 21 contains 
Cj > c' and Cj = c' for all j < i, and </>(Tj)(c)) > < j>(T%i(c ! )) . 



Lemma 7. Let >- be a ground-total KBO for precedence >jr and weight function 
<p. Let (21,2)) => (21', 2)) with KBO-down or KBO-UP. If a satisfies (21,2)) 
with respect to y, then a satisfies (21', 2 )) with respect to y. 
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Proof. Let s = Tj>(c) and t = T^(c'). Case KBO-down: cf(s) = <f>{t) implies 
ip(a(s)) = ip(a(t)) for all ground substitutions a. As s and t have the same top- 
symbol, a(s) >~ aft) implies a(T^,(a)) !>= afTjjfdf)). Case KBO-UP: (f>(s) > <f>ft) 
implies (p(a(s)) > ip(a(t)) for all ground substitutions a. Hence, a(s) >- aft ) 
either by the weight or by the lexicographic comparison of the subterms. □ 

For the additional rules the test for applicability has a worst-case complexity 
quadratic in N. Therefore, the unsatisfiability test remains polynomial. 



5 Experimental Evaluation 

We implemented both variants of the AC-redundancy criterion in our theorem 
prover Waldmeister [LH02]. We consider six variants: STD is the standard 
system, GJ uses the redundancy test based on ground joinability [MN90], ACG 
uses the criterion of Sect. 3.1 and ACG+ the refined criterion of Sect. 3.2. The 
variants GJ/ACG and GJ/ACG+ combine the corresponding tests. Most experi- 
ments were performed on 1 GHz Pentium III machines with 4 GByte of memory. 
Exceptions are the RNG036-7 runs, which were performed on 2.6 GHz Xeon P4 
with 2 GByte of memory. 

As basis for our experiments we chose 218 unit equality problems of TPTP 
Ver. 2.6.0 [SS97] that contain AC operators. Within 5 minutes, 205 examples 
complete. They show, if at all, mostly modest improvements. The criterion based 
on AC-ground reducibility detects most of the equations that the method based 
on ground joinability detects and needs much less time to do so. It even detects 
additional equations, because it uses full ordering constraints. Space does not 
permit to go into further details. The real potential of the new criterion can be 
seen in Table 1. It contains the runtime data for four challenging proof tasks. 
Especially the refined criterion shows considerable improvements. 

To analyze the accuracy of the sufficient unsatisfiability test, we took the 
four log files that version ACG+ produced for the challenging examples and con- 
structed with functions T and P corresponding constraints. This makes 450,706 
test cases, which we checked for unsatisfiability with respect to LPO and KBO. 
For LPO 112,146 cases can be shown trivially to be 1 or T by simple ordering 
tests. For the remaining cases our implementation of the decision procedure of 
[NR02] shows 151,500 unsatisfiable, the sufficient test shows 149,365 unsatisfi- 
able, i.e., it misses only 1.4 per cent. For KBO a comparison is more difficult, 
as we have no implementation of a decision procedure available. We use an im- 
plementation of the method of [Hur03] instead, which uses the Omega- library 
[Pug92] as decision procedure for the linear Dioplrantine inequations. Among 
all test cases 110,534 are trivial. Among the remaining cases 147,027 are shown 
unsatisfiable by at least one of the two methods. Whereas Hurd’s method de- 
tects 104,936 cases, our test detects 141,157, which means that, compared to the 
union of the tests, it misses 4.0 per cent. 

This accuracy is far better than originally expected. It seems that the gen- 
erated constraints are rather easy. Although not yet optimized for speed, the 
unsatisfiability test needs less than one per cent of the prover’s runtime. 
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Table 1. Running times in hours for challenging examples. 



Problem 


STD 


GJ 


ACG 


ACG+ 


gj/acg 


gj/acg-I- 


ROB020-1 


7.5 


6.0 


3.3 


2.6 


3.1 


2.6 


ROB007-1 


61.9 


39.4 


20.7 


13.3 


17.7 


13.4 


LAT018-1 


> 300 


> 300 


> 300 


12.6 


> 300 


13.2 


RNG036-7 


> 500 


341.6 


> 500 


151.6 


243.1 


112.0 



6 Conclusions 

We have presented a new redundancy criterion for equational theorem proving 
that is based on a restricted form of AC-ground reducibility. It captures in an 
efficient way a frequently occurring special case where other, more elaborate re- 
dundancy criteria show success. It fits well into the completion paradigm with 
its lazy approach, namely, to add overlaps and to treat them later. This sim- 
plifies the implementation, reduces the amount of work, and avoids the danger 
of multiple computations. Therefore, the new criterion shows a very good ra- 
tio between detection strength and computational cost. Its integration into the 
theorem prover Waldmeister demonstrates that methods based on constraint 
technology can significantly improve high-performance systems in practice. The 
prover can now cope with demanding AC specifications much better than before. 
Nevertheless, it has to be seen how this compares to an approach that integrates 
the theory into the calculus, i. e., works modulo AC. The unsatisfiability test for 
ordering constraints behaves better than originally expected. It will be interest- 
ing to be see, how it performs in other domains. For example, it can be used to 
guide the initial phase of the KBO solver of [KV01]. 

For generalizations of our redundancy criteria, two directions are immediate: 
The first one is to transfer the method to the full clausal case, i.e., as a redun- 
dancy criterion in the superposition calculus [BG94]. This seems straightforward 
for the basic case. For the refined criterion it is not so clear to us, because it 
relies on top-level steps. The other direction is to cover more general permutative 
theories or to use a more generic ground reducibility test. 
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Abstract. Simplification orderings on terms play a crucial role in reducing the 
search space in paramodulation-based theorem proving. Such a use of orderings 
requires checking simple ordering constraints on substitutions as an essential part 
of many operations. Due to their frequency, such checks are costly and are a 
good target for optimisation. In this paper we present an efficient implementation 
technique for checking constraints in one of the most widely used simplification 
orderings, the Knuth-Bendix ordering. The technique is based on the idea of run- 
time algorithm specialisation, which is a close relative of partial evaluation. 



1 Introduction 

Many modem theorem provers for first-order logic (e. g., E[13], Gandalf[15], 
Waldmeister[l]) deal with equality by using inference systems based on the following 
paramodulation mle: 

CV s ~t D[u\ . 

— ^ V D[t})0 — ( unrestncte ^) paramodulation, 

where 9 is a most general unifier of the terms s and u. 

Unrestricted use of this rule is too prolific to be practical. To overcome this, a num- 
ber of inference systems has been devised that use a simplification ordering >~ on terms 
to restrict the application of paramodulation (see [7] for a comprehensive survey). Al- 
though superposition is probably the most restrictive instance of paramodulation, for the 
purposes of this paper it is sufficient to consider only inference systems based on a less 
restricted ordered paramodulation rule: 

CVs~f D[u] 

— — ordered paramodulation, 

where 8 is a most general unifier of s and u, tO >fi_ s8 and >- is the chosen simplification 
ordering. Checking the condition td sQ can be viewed as checking whether the 
substitution 8 satisfies the constraint t >fi_ s. 

Apart from restricting paramodulation, simplification orderings are used by some 
important simplification mechanisms, of which the most widely used one is demodula- 
tion: a positive unit equality s ~ t can be used to replace a clause C[s9] by a “simpler” 
clause C[t8\, provided that the substitution 9 satisfies the condition s9 >~ t9. Again, this 
condition can be viewed as a constraint s t on substitutions. 
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In a paramodulation-based theorem prover, checking ordering constraints on substi- 
tutions is a useful component of many operations, such as resolution, paramodulation 
and demodulation, and may be invoked frequently. It is not unusual when during a 10 
minute run of our system Vampire [9] over 50,000,000 ordering constraint checks have 
to be performed. The simplification orderings used in Vampire and other systems are 
rather complex, so checking ordering constraints in a straightforward manner, that is by 
direct comparison of the terms s9 and tO , can be very costly, and in many cases even 
dominate the time taken by all other operations in a prover. As a consequence, checking 
ordering constraints must be implemented efficiently. 

In this paper we show how checking ordering constraints is implemented in Vampire, 
We describe a technique for efficient implementation of checking constraints in the 
well-known Knuth-Bendix ordering. We illustrate our approach only for demodulation. 
Nevertheless, the proposed technique is directly applicable to, and works well in, all 
other operations in Vampire that require ordering constraint checking. The presented 
recipe is mainly intended for developers of systems implementing paramodulation with 
ordering-based restrictions. However, we hope that this paper will be of interest to a 
broader audience as a compact and self-contained illustration of the general method of 
run-time algorithm specialisation, on which our technique is based. 



2 Preliminaries 

2.1 Knuth-Bendix Ordering 

Throughout the paper we will be dealing with a fixed signature T that contains function 
symbols denoted by /, g , h. If we want to emphasise that some function symbols are 
constants, i.e., have arity 0, they will be denoted by a,b,c. In addition to function 
symbols, we have an alphabet V of variables. The set of terms over T and V, denoted 
by T(fF , V), is defined in the standard way: all variables in V are terms, and if / £ T is 
a function symbol of arity n and ti , . . . , t n are terms, then f(ti , . . . , t n ) is also a term. 
Terms containing no variables are called ground. 

An ordering >- on T(fF , V) is called a simplification ordering if: 

1 . >- is stable under substitutions: s >- t implies s9 >- t6 for all substitutions 9. 

2. All function symbols of T are monotonic w.r.t. >-; if s >- t then 

f (,$ 1 , • ■ • , Si—i , s, Si-|_i , . . . , s n ) F f (si, ..., Si— i, t, Si+i, ... , s n ) for all i. 

3. >- satisfies the subterm property : f(t \, . . . , t n ) >~ ti for all f £ IF and i. 

This paper is mostly concerned with one specific simplification ordering: the Knuth- 
Bendix ordering [3]. From now on, >- will denote this ordering unless otherwise is 
explicitly stated. 

The Knuth-Bendix ordering is parameterised by a weight function w from IF to the 
set of non-negative integers and a precedence relation, which is a total order 3> on the 
set T of function symbols. For simplicity, in this paper we assume that w(f) > 0 for 
all / £ T . The weight function will be called uniform if w(f) = 1 for all / £ T . In 
our examples we always assume that the weight function is uniform, unless otherwise 
is explicitly stated. 
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For every variable or a function symbol q and a term t, denote by C q (t) the number 
of occurrences of q in the term t. The weight of a term t £ T (T . V), denoted by \t\, is a 
polynomial over V with integer coefficients defined as follows: 

1^1 = °f (*) • w U ) + ^(*) • a: - 

feJ 7 xev 

For example, if w is uniform, then Xi), f(xi, 0^2)) | = 4 + 2 • X\ + x 2 - Note 

that if t is ground, then \t\ is an integer constant. Let p denote the minimal weight of a 
ground term, which is in fact the minimal weight of a constant in T. In our examples 
we will always assume p = 1 . 

The set of all linear polynomials over V with non-negative integer coefficients will 
be denoted by 'P(V). We will sometimes call such polynomials weight expressions. We 
call a weight assignment any function a : V — > V(V) such that for every v £ V, 
if o(v) is constant, then cr(v) > p. If all polynomials <7(2:) are constant, a will be 
called a ground weight assignment. We distinguish a weight assignment <j m , such that 
a u( x ) = h f° r a H x £ V- Weight assignments are extended to linear polynomials in the 
following way: <7(0:0 + oliX\ + . . . + a n x n ) is the polynomial obtained by normalising 
£*0 + a i • a ( x 1) + • • • + oi n ■ cr(x n ) using the standard arithmetic laws. For example, 
if <7(2:1) = 2 + 32 q + 2 x 2 and <7(2:2) = 3 + 2 a: 1 + X2, then <j (1 + 2 x\ + 32:2) = 
1 + 2(2 + 3 a:i + 22:2) + 3(3 + 22:1 + X2 ) = 14 + 12 a: 1 + 7 x 2 - Note that if <7 is a ground 
weight assignment, then <7 (p) is constant for all p £ V(V). 

We define two binary relations > and > on V(V) as follows. Suppose p-\ = 0:11 + 
a\X\ + . . . + a n x n and p 2 = / 3 0 + ( 3 \Xi + . . . + f 3 n x n , where some of a*, / 3 j may be 
zero. Thenp! > p 2 if and only if cr(pi) > <7(^2) f° r all ground weight assignments <7. 
Also, we let pi > P2 if and only if cr(pi) > <7(^2) for all ground weight assignments 
<7. Note that both pi = P2 and p\ > P2 imply pi > P2, but p\ > P2 is not equivalent 
to pi > P2 V pi = p2- For example, if a is a constant of the minimal weight p, then 
1 / 0)1 > |/(a)|, but neither |/(a;)| > \f(a)\ nor |/(ar)| = |/(a)|. 

Now the Knuth-Bendix ordering A- on T(T . V) can be defined 1 inductively as fol- 
lows: 



f M > 10 

I or else \s\ > \t\, s = /(. . .), t = g(. . .) and f » g , 

I or else jsj > jfj, s = . .,s„), t = f(h,...,t n ) 

[ and for some i we have si = t\, . . . , Sj_i = L_i, Si ti. 

In the sequel we will abbreviate “Knuth-Bendix ordering” to KBO. Note that a stronger 
variant >-' of KBO on T(T . V) can be defined as follows: s >-' t if and only if the 
constraint s A t has no solutions, i.e. there is no grounding substitution 9 , such that 
s 9 A t 6 . Deciding s t for given terms s and t can be done in polynomial time ([ 4 ]), 
but in practice approximations, such as ours, which allow simpler algorithms are usually 
used. 

1 Our definition is technically different from the classical one in [3]. The use of polynomials as 
term weights allows us to avoid considering numbers of variable occurences separately. 
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2.2 Demodulation and Ordering Constrains 

Demodulation is the following simplification rule: in presence of a positive unit equality 
s ~ t, a clause C[s9 ] can be replaced by a “simpler” clause C[tO\ if the substitution 9 
satisfies the condition s9 >~ 10. This condition can be viewed as an ordering constraint 
s >~ t to be checked on different substitutions 9. This ordering constraint can be checked 
on a substitution 9 by simply verifying s9 >- t9 using a general-purpose algorithm 
implementing but this may be inefficient since the same constraint can be checked on 
many different substitutions. Note that s >~ t guarantees sQ >- t9, but during the proof 
search provers often generate non-orientable equations s ~ t, so that neither s y t nor 
t >- s hold and the condition s9 >~ t9 actually depends on the substitution 9 generated 
as a result of some unification or matching operation. In this paper we show how to do 
such checks s9 >- U) for the KBO efficiently. 

Demodulation is usually applied in either forward or backward mode. Forward de- 
modulation is the following mechanism. Suppose we have just derived a new clause 
C. We would like to simplify it as much as possible by demodulation before adding to 
the current set of persistent clauses. For this purpose, we try to find among the current 
set of persistent clauses a positive unit equality s ~ t such that an instance s9 of the 
term s occurs in C. When such an equality is found and the constraint s >- t holds 
on 9, we replace s9 in C by t(). Demodulation inferences are performed on the clause 
exhaustively. 

In backward demodulation, we try to use a newly derived positive unit equality s ~ t 
to rewrite some persistent clauses. To this end, we try to identify all persistent clauses 
that contain instances of s, i.e., terms of the form s9. As soon as such a clause C[s9\ is 
found, we have to check s9 >- t9 to ensure applicability of demodulation. 

At this point we have to make an important observation. In backward demodulation, 
a constraint s >- t is tested against potentially many substitutions 9 in a row. Such 
checks will be called backward checks. In forward demodulation, the constraints and 
substitutions occur in an unpredictable order, in this case we speak about forward checks. 

In a typical paramodulation-based theorem prover, demodulation is only one of many 
operations that require checking ordering constraints. For example, in Vampire both for- 
ward and backward checks are also employed to implement superposition inferences. 
The techniques introduced in this paper are directly applicable to most, if not all, known 
instances of KBO constraint checking. The implementations used in Vampire for de- 
modulation and superposition are nearly identical, so in our experiments we measure 
performance for both of them together. 



2.3 Run-Time Algorithm Specialisation 

In our system Vampire several powerful optimisations ([8,10]) use the idea of run- 
time algorithm specialisation. The idea is inspired by the use of partial evaluation in 
optimising program translation (see, e.g., [2]). Suppose that we need to execute some 
algorithm alg(A,B) in a situation where a value of A is fixed for potentially many 
different values of B. We can try to find a specialisation of alg for every fixed A, i.e., such 
an algorithm alg A , that executing alg A (B) is equivalent to executing alg(A, B). The 
purpose of specialisation is to make alg A (B) work faster than alg (A, B) by exploiting 
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some particular properties of the fixed value A. Typically, alg A (B) can avoid some 
operations that alg (A, B ) would have to perform, if they are known to be redundant for 
this particular parameter A. In particular, we can often identify some tests that are true or 
false for A, unroll loops and recursion, etc. In general, we are free to use any algorithm 
as alg A (B) as long as it does the same job as alg (A , B). 

Unlike in partial evaluation, the values of A are not known statically, so the speciali- 
sation takes place in run-time. Moreover, we do not need any concrete representation of 
alg. We only have to imagine alg when we program the specialisation procedure. This 
implies that we cannot use any universal methods for specialising algorithms, which is 
usually the case with partial evaluation, and have to program a specialisation procedure 
for every particular algorithm alg. An important advantage of doing so is that we can 
use some powerful specific optimisations exploiting peculiarities of alg. 

The specialised algorithm has to be represented in a form that can be interpreted. In 
many cases, usually when alg A (B) is to be computed on many values B in a row, we 
can compile alg A into a code of a special abstract machine. Instructions of the abstract 
machine can be represented as records with one field storing an integer tag that identifies 
the instruction type, and other fields for instruction parameters. All instructions of a code 
can be stored in an array, or list, or tree. Interpretation is done by fetching instructions 
in some order, identifying their type and executing the actions associated with this type. 
In C or C++ we can use a switch statement to associate some actions with different 
instruction tags. Modern compilers usually compile a switch statement with integer 
labels from a narrow range rather efficiently by storing the address of the statement 
corresponding to a value i in the z-th cell of a special array. We exploit this by taking 
values for instruction tags from a small interval of integers. 

There are situations when many instances of A are intended for long-term storage 
and the calls of alg (A, B) occur with different B in an unpredictable order. For example, 
we may have to check alg{A\, B\) first, then alg(A 2 7 B 2 ), then alg(Ai, B 3 ), and so on. 
In such circumstances, full-scale specialisation with compilation may not be appropriate 
due to excessive memory usage. However, we can sometimes find a compact specialised 
representation A! for every A that can be stored with, or instead of, A. We also define 
a variant alg' that works on this representation and any call to alg {A, B) is replaced by 
alg' (A' , B ), intended to do the same job faster. 

3 General Framework 

In this section we present a general framework for specialising KBO constraint checks. 
This framework will be used in the following sections to describe our implementations 
of forward and backward checks. 

3.1 Specialising Weight Comparison 

When implementing KBO constraint checking, it is convenient to have a function for 
comparing weight expressions. We introduce such function 

compw : V(V) x V(V) -+ {@,@,@,0,0,©} 



as follows. 
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compw(pi,p 2 ) 



§ ifpi =P2\ 
if Pi > p 2 ; 

© if P 2 > Pi; 

(<) if P 2 > Pi but neither p 2 = pi nor p 2 > Pi; 
(>) if pi > p ‘2 but neither p\ = p 2 nor p \ > p 2 ; 
(?) otherwise. 



Let us show how computation of compw(\sO\, \t0\ ) can be specialised for fixed terms s 
and t. The specialisation process can be logically divided in two phases. 

Phase 1. For every substitution 0 define the weight assignment ag as follows: ag(x) = 
\x9\ for all a; £ V. Note that we can compute compw(ag(\s\),ag{\t\)) as the value 
for compw(\sO\, |f0|). When s and t are fixed, the weight expressions |s| and |t| are 
precomputed, which allows us to avoid traversing the s and t parts in the terms sO and 
t6 for various 9. Also, in the optimised comparison we compute ag(x) = \x6\ only once 
for each variable of s and t,, while a general-purpose procedure would traverse the term 
xO during computation of |s0| and \t0\ as many times as there are occurrences of x in s 
and t. 

For example, consider s = f(x o, f(x o, f(x i, f(x 2 , *3)))). Instead of directly com- 
puting \f(x o 0, f(x 0 9, f(xi9, f(x 2 0, tc 3 6>))))|, we compute 4 + 2\x 0 9\ + \xi6\ + \x 2 0\ + 
\x^9\, thus avoiding traversal of the /(., /(., /(., /(., .)))) part and examining the term 
xo 9 twice. 

Phase 2. Instead of computing compw{ag{\s\),(jg(\t\)) we can compute 
compw(ag(lft(\s\,\t\)),ag(rht(\s\,\t\))). The functions lft,rht : V(V) x V(V) — > 
V(V) are defined as follows: lft(pi,p 2 ) is obtained by taking all members of pi — p 2 
with positive coefficients, and rht(jpi,p 2 ) is obtained by taking all members of p 2 — pi 
with positive coefficients 2 . The polynomials lft(\s\ , \t |) and rht(\s\ , \t |) may potentially 
have fewer different variables than |s| and \t |, in which case we have to examine fewer 
terms x6. 

For example, consider the following terms: s = f(x 0, f(x 0, f(x 1, f(x 2, £3)))) and 
t = f(xi,f(x 2 ,f(x 3 ,x 3 ))). Comparison of 4 + 2\x 0 9\ + \x\9\ + \x 2 9\ + \x 3 0\ with 
3 + \x\9\ + \x 2 0\ + 21x301 is now reduced to comparing 1 + 2|xo0| with \x 3 0\, which 
does not require examining x\ 9 and x 2 0 at all. Moreover, we no longer need to multiply 
|x30| by a constant. 

Special cases. For fixed p\,p 2 £ V(V), comparison of crg(pi) with ag(p 2 ) for different 
9 can be specialised depending on the form of p\ and p 2 . Suppose that p\ = aiXi + 
. . . + a n x n , on > 0, and p 2 = fio > 0- In this case ag(p\) > crg(p 2 ) is equivalent to 
a.\ ■ mwgi(xiO) + . . . + a n ■ mwgi(x n 9) > fto, where mwgi(t ) denotes the minimal 
weight of a ground instance of the term t , and can be computed as the weight of t with 
all variables replaced by constants of the minimal weight. Likewise, crg(pi) > ag (jp 2 ) is 
equivalent to ol\ ■ mwgi{x\9) + . . . +a n ■ mwgi(x n 0) > /3o and &g(pi) = cr g(p 2 ) holds 

2 Using lft(pi , p 2 ) and rht(pi , pf) is conceptually the same as, but technically more convenient 
than considering positive and negative parts of pi — p 2 . 
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if and only if ai ■ mwgi(x \9) + . . . + a n ■ mwgi(x n 9) = /3o and all x$ are ground. 
These observations give us two big advantages. 

Firstly, mwgi(xid) are numbers rather than polynomials, and thus are easier to com- 
pute, store and manipulate. For some representations of terms, mwgi can even be com- 
puted in constant time. For example, if the used weight function is uniform, then mwgi (t) 
is just the size of t , which can be computed in constant time if t is an array-based flatterm 
(see, e.g., [8]). In some situations it may also be useful to precompute and store mwgi 
for some terms. 

Secondly, for many substitutions 9 we do not need to compute ai • mwgi{x\9) + 
. . . + a n ■ mwgi(x n 9) completely. Instead, we incrementally compute ai ■ mwgi{x\9), 
ol\ ■ mwgi(xi9) + a 2 • mwgi[x29), «i • mwgi{x\9) + a2 ■ mwgi(x29) + <33 • mwgi{x^9), 
and so on. If at the z-lh step we notice that ai-mwgi(xi9)+. . .+ai-mwgi(xi9)+ai+ig.+ 
. . . + a n [i > /?o we can immediately stop and claim crg(pi) > <Jg(j> 2 )- Moreover, we 
can notice that the condition holds while collecting the weight mwgi(xi9). 

Another special case corresponds to situations when pi = a 0 and P 2 = PiX\ + 
. . . + (3 n x n . Note that <Jg(pi) > <Jg(j> 2 ) if and only if all x t 9 are ground and op > 
/3i • mwgi(xi9) + . . . + /3 n ■ mwgi(x n 9). Again, as soon as we notice that some x$ is 
non-ground or (3\ ■ mwgi{x\9) + . . . + fa ■ mwgi(xi9) + Pi+ip + . . . + /3 n p > cuo, we 
can stop and claim that ag(pi) j^xrg{p 2 ). 

The general case of pi = + a\X\ + . . . + a n x n andp2 = flo + P 1 X 1 + ■ ■ . + /3 n x n 

degenerates into one of the above special cases when we discover that either crg(pi) or 
<xg(p 2 ) is a constant. 

3.2 Unrolling Recursion and Loops 

A straightforward algorithm for checking s >- t for arbitrary s and t is shown in Figure 
1 . It returns one of the three values {(=), (>), (*)}> where (x) means failure. If we are to 
check s9 >- t.9 for fixed terms s and t , we can specialise the general algorithm by unrolling 
recursion and loops, and detecting redundant operations. Let us show how to derive a 
specialised procedure greater s t (9) which computes the same value as greater(s9, t9). 

We assume that none of s >- t, t >- s and s = t holds, otherwise the comparison 
does not depend on 9 at all. If s or t is a variable, there is nothing we can do but to 
compute greater(s9 , t.9), so in what follows we assume that s = f(s 1 , . . . , s m ) and 
t = g(ti, ■ ■ ■ ,t n ) (/ and g need not be different). The first specialisation step is to 
compute compw(\s\, |f|). Our assumption implies compw(\s\, |f|) ^ {(>)>(<)}’ so we 
are left with four cases. 

1. Case compw(\s\, |f|) = (=). In this case we can avoid computing compw(\s9\, |f$|), 
since |s0| = \t9\. As a consequence, greater s t (9) = greater' s t (9). Since the terms 
s and t are incomparable, we must have f = g and n > 1, so greater' s t {9) = 
lexgreater <Sl> Sn><tl ^ tn> (9). 

The specialisation of lexicographic comparison lexgreater <Sl s „> <ti t n > 
defined as follows. 

a) If si >■- fi, then lexgreater <Sl „ n> <tl ,...,t n> (9) consists of a single line 

return (S). 
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fun greater (s, t : T (tF, V)) 
if s is a variable x 

if x = t return (=) 
return (x) 

if t is a variable x 
if x occurs in s return (>) 
return (x) 

cw := compw(\s \ , |t|) 



if cw — (>) 

return /* s >~ t*l 
if cw & {@,0} 
return greater' (s, t ) 

return (x) /* failure */ 



fun greater' (s, t) 

let .S' = f(s i, . . . , Sm) and t = g(ti, ...,t n ) in 
if./' -.7 

return 

lexgreater(< si, ,s n >, < ti, . . • ,t n >) 

if f g return (>) /* s >~ t*/ 

return (x) /* failure */ 

fun lexgreater(< si, . . . , s„ >, < ti, . . . , t n >) 
for i •— 1 ..... » 
c := greater (si,U) 

(>) I* s y t*l 
/* failure */ 
t */ 



if c = Q return 
if c ^ return 
return /* s = 



Fig. 1. Straightforward comparison of terms with KBO 



b) If fi >~ si, then lexgreater <Sl Sn> < t 1> . tn> (0) consists of a single line 

return (x). 

c) If Si = ti, then we have lexgreater <Sl ... Sn> <tl ...,t n >(0) coincides with 

lexgreater <S2 ^ n><t2 ^ tn> (d). 

Note that in all of the above cases we skip a redundant test greater{s\9 , ti6) that 
would have to be performed by the straightforward procedure. In the remaining 
cases we assume that si and t\ are incomparable. 

d) If n = 1, then lexgreater <s Sn > <tl ... tn> is greater Sltl (9). 

e) If n > 1, then the code for lexgreater <Sl Sn> <tl tn> is of the form 

c := greater Sl tl (d) 

if c ^ (=) return c 

...code for lexgreater <S2> ... iSn>i<t2 ,.. .,*„>(<?) 

2. Case compw(\s\, |t|) = (<). Here we know that compw(\s9\, |£0|) ^ {(>), (>)}. 

When compw(\s9\, \t9\) = (=), greater st {9) returns greater' s t (8), and fails oth- 
erwise. 

3-4. Cases compw(\s\, |t|) = (>) and compw(\s\, |f|) = (7). In these cases we know 
little about compw(\s9\, \t9\), but the lexicographic part can still be specialised: 

fun greater s t (9) 
cw := compw(\s9\, \t9\) 

if cw = (>) return (>) 

if cw € {(=), (>)} return greater' s t ( 9 ) 

return (x) 
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In the body of the procedure greater s t all inner calls to the procedures greater s , v , 
greater' s , t , and lexgreater <Sl Sn> <tl tn> are fully unfolded, and in the result we 
have no recursion or iteration. Note also that the described specialisation technique is 
fully compatible with the specialisation of weight comparisons discussed earlier: instead 
of compw(\s9\, \t0\) we can call compw(a$(lft(\s\, |t|)), ag(rht(\s\, |t|))). 

3.3 Propagation of Weight Equations and Term Unifiers 

Suppose we have to compare s = /(s i, . . . , s n )9 with t = f(t \, . . . ,t n )9 for various 
9. When |s0| = \t9\, we have to compare sfl and which in many cases requires 
comparing their weights. The equality |s0| = \t9\ may give us information about the 
weights of the instances of some variables in s and t. Sometimes we can use this in- 
formation to simplify weight comparisons for Si9 and ti9. Let us show how this works 
by an example. Let s = f(f{x 1 ,x 2 ),f(x 3 ,x 4 )) and t = f(f(x 3 , a; 4 ), f(x 2 , x A )). 
The equality |s0| = \t9\ is equivalent to a$(xi ) = < 70 ( 2 : 4 ). Under this assumption 
we have compw(\f(x 1 ,x 2 )9\,\f(x 3 ,X4)9\) = compw(crg(xi + x 2 ) 1 a g {x 3 + X4)) = 
compw(crg(x 2 ),<jg(x 3 )), and thus we avoid comparing < 70 ( 2 : 1 ) with < 70 ( 2 : 4 ). If |s0| ^ 
\t9\ but compw(\s9\, \t9\) = (>), which indicates that |s0| > \t9\, we may still be able 
to simplify some further weight checks. 

At run time this optimisation can hardly be useful, instead we built it into the spe- 
cialisation procedure. In general, when we specialise comparison of some subterms in 
a constraint s >- t, we use all relations on weights of variables, available from weight 
checks for the examined superterms. The relations are used to simplify the weight com- 
parison in a lazy manner: we apply an equality only if it reduces the number of variables 
in the weight comparison in question and an inequality is applied only if it can reduce 
the weight comparison to a definite answer. 

A similar optimisation which allows stronger specialisation is based on the following 
observation: if greater (s\9,ti9) returns it means that 9 is a unifier of .sj and 
t\. In this situation, at the next step we can compare ( s 2 t)9 with ( t 2 r)9 instead of 
s\9 and ! \ 0, where r is an idempotent most general unifier of si and t ±. This check 
can often be better specialised than the one for s 2 9 and t 2 9. For example, let s = 
/( 2 : 0 , f(xi,xi)) and t = f{x\, f(xo, a;o)). For any substitution 9 making x 3 9 = x\9, 
greater(f(xi,x 1 )9,f(x 0 ,x 0 )9) = greater(f{x 1 ,x 1 )9J(x 1 ,x 1 )9) = (=). So, as 
soon as x 3 9 = 2 : 1 $, we can stop and claim s9 = t9 without examining f(xi,xi)9 and 
f(x 0 ,x 0 )9. 



4 Forward Checks 

4.1 Specialised Forward Checks 

Forward checks are performed on constraints that are associated with persistent clauses. 
Any such constraint may potentially be checked many times on different substitutions, 
and thus is a good target for specialisation. There are usually many such constraints 
active at the same time, and a constraint may be persistent for a long time. Therefore, 
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if we want to specialise the constraints, the specialised versions are subject to long- 
term storage. In these circumstances, full-scale specialisation would require too much 
memory for storing the specialised versions, and we are bound to look for a light-weight 
approximation with a very compact representation of specialised constraints. 

Suppose s y t is a constraint intended for forward checks. Whenever it is checked 
on a substitution 9, we have to compare the weights |s0| and \t9\. We restrict ourselves 
to specialising only compw(\sO\, \t9\). When this test is inconclusive, we proceed as 
in the straightforward check by computing greater' (sd , t6). So, apart from the terms s 
and t themselves, the only thing to be stored is the specialisation of compw(\s9\, \t9\), 
which is simply a pair of polynomials lft(\s\, |t|) and rht(\s\, |t|). In our implementa- 
tion linear polynomials are stored as linked lists of pairs < variable, coefficient >, 
each corresponding to a monomial. The constant parts of polynomials are represented 
by < coefficient >, where # is a special symbol. The main advantage of such rep- 
resentation is that some tails of such lists can be shared, thus reducing the strain on 
memory usage considerably. 



4.2 Experimental Results 

We compare experimentally the performance of straightforward constraint checking with 
the performance of our specialisation-based implementations. The comparison is done 
by running Vampire, version v5.40, with the OTTER algorithm (see [1 1]) on Pentium III 
machines 3 , 1GHz, 256Kb cache, running Linux, giving it 10 minutes time limit and 
350Mb memory limit. It is run on the 1132 pure equality problems (including 776 unit 
equality problems) from the TPTP library v2.6.0 ([14]). Experimental results are given 
for the whole benchmark suite as well as for the 10% of the problems with the largest 
times taken by straightforward checks. To make the assessment, we measure the time 
taken by the straightforward and optimised checks for every problem and compare the 
sums of these times for all problems in the test suite. The checks required by superpo- 
sition are measured as well as the ones for demodulation. However, in our experiments 
superposition accounts only for less than 1% of the checks. When memory usage is 
mentioned, for each problem we measure the maximal amount of memory occupied 
by the data structures required by the optimisation in question. We experiment with 
both uniform and non-uniform weight functions. The non-uniform weight function is 
specified by the following simple formula: w(/) = l + 10 - arity(f). 

Table 1 summarises the results of our experiments with the forward checks. The 
straightforward implementation is abbreviated as str and the specialised one as spec. 
The second column presents the improvement in time gained by specialisation. To show 
the reader a more thorough picture, we also present the percentage of time taken by 
straightforward checks in the overall time of Vampire runs. The overall time itself is 
presented in the next column to give the reader a feeling of complexity of the tests. The 
last two columns show the number of constraint checks performed and the number of 
invocations of the specialisation procedure. 

3 A smaller experiment has been also done on UltraSPARC II machines with Solaris. The results 
were consistent with the ones presented in this paper. 
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Table 1 . Experimental results for forward checks 



problem 

selection 


weight 

func. 


time(str) 

time(spec) 


time(str)-100% 
total time 


total 

time 

per 

prob., 

sec 


checks 

per 

prob., 

10 6 


spec. 

calls 

per prob., 
10 3 


all 1132 


uniform 


2.20 


42% 


100 


8.8 


4.4 


all 1132 


non-un. 


2.22 


43% 


101 


8.6 


4.4 


113 hardest 


uniform 


2.08 


78% 


367 


52.7 


9.8 


113 hardest 


non-un. 


2.07 


80% 


367 


50.8 


9.3 



When memory overhead is concerned, average figures for heterogeneous problem 
sets are not sufficiently informative. So, we characterise the extreme cases here. In 44 
tests with non-uniform weighting functions, the memory usage overhead exceeded 1 
Megabyte. All these problems are relatively hard: on all of them Vampire worked for 
more than 320 seconds and used more than 270 Mb. The worst overhead of more than 
6 Mb was incurred in a 510 second run on BOO066-1, in addition to 310 Mb used by 
other datastructures. Very similar results were obtained for the tests with the uniform 
weighting function. 

In our early implementations we have experimented with a slightly deeper specialised 
representation of constraints. Namely, we stored the result of greater' (s, t) in addition 
to lft(\s\, |f|) and rht(\s\, |f|). If greater' (s , t) = (>), then greater' (s6 , t6) = (>) for 

any 6, and greater' (s,t) = (<) also implies greater' (s0,t6) = (<). To our surprise, 
this modification led to a noticeable slowdown, not to mention that it uses slightly more 
memory. This can be explained by the fact that in all our experiments the share of 
constraint checks that are affected is very low (always less than 3%, on average less than 
1%) and the time spent for computing greater' (s, t) does not pay off. 



5 Compiled Backward Checks 

In the backward mode a constraint is checked on potentially many substitutions in a row. 
In this situation we can afford a deeper specialisation with compilation. Indeed, it can be 
done in the same piece of memory for many constraints, the overhead introduced by the 
specialisation procedure is amortised well by the subsequent checks, and the benefits 
of specialisation increase with the growing number of constraint checks. Our current 
implementation makes use of all optimisations prescribed by the general framework 
described in Section 3. The specialised version of greater (sO , tO) is now a rather complex 
algorithm and cannot be represented by a simple piece of data as in the case of forward 
checks. Instead, we compile it into a code of an abstract machine. A detailed description 
of the compilation process would be too long, so we only illustrate the idea by an 
example. 

We are going to specialise greater (s9, t,9), f or s = f(x o, g(h( X\, x 2 ),h{x 2 , X \ )), a) 
and t = f(h(xi,X 2 ),g(xo,xo),b). We assume w(f ) = w(g) = w(h ) = w(b) = 1 
and w(a) = 2. Figure 2 shows the specialised version written as a pseudo-code. The 
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fun greater s t (9) 


labi : 


cw := compw(2 + \x\6\ + \xz0\, |a?o#|) 


c := greater(xo9,h.(xi,X2)9) 


if cw = (S') return (S') 


if c = @ return (S) 


if cw = (>) goto lab 1 


if c ^ (=) return (x) 


if cw A (==) return (x) 


c := greater (x2d,x\6) 


return (S) 


if c = (S') return (S') 




if {=) return (x) 




return (S) 



Fig. 2 . Specialised check for f(xo, g(h(xi, X2), h(x2,xi)),a) >~ f{h(x 1, 2:2), g(x 0, *0), b) 



compiled version is shown in Figure 3 as a sequence of abstract machine instructions 
accompanied by their semantics. Note that the specialised version for the weight check 
compw( 2 + \x\ 9 \ + \x2O\1 |xo^|) i s also compiled into a subroutine sub\. In fact, since 
weight comparisons are still costly, we optimise them very thoroughly. We use a large set 
of highly specialised instructions in order to minimise the code size and the number of 
performed arithmetic operations, and to be able to use specialised versions of functions 
for weight collection and comparing polynomials. The abstract machine in our current 
implementation has about 70 instructions for weight comparison. The mnemonic names 
for these instructions are too long, so in Figure 3 we denote them by instr with subscripts. 

Analysing preliminary experiments we discovered that full-strength compilation of 
all constraints does not always pay off. During the first several seconds of a Vampire 
run the database of stored clauses is small. In these circumstances a constraint is usually 
checked on very few substitutions and the compilation effort is not properly amortised. 
To overcome this we came up with a simple adaptive scheme. We regulate specialisation 
strength by setting a numeric parameter which corresponds to the maximal number of 
possible weight comparison specialisations. When this limit is exceeded by the special- 
isation procedure, we stop unrolling recursion and compare the subterms that remain to 
be compared, by a call to the straightforward procedure. During a Vampire run we keep 
statistics on how many constraints have been used and how many substitutions checked. 
As the ratio of the number of checks over the number of constraints grows, we increase 
the specialisation strength linearly with an experimentally best coefficient. 

Table 2 shows rather encouraging experimental results for the described implemen- 
tation. The relatively small portion of the overall time taken by straightforward checks 
should not confuse us for two reasons. First, the table presents only the average figure, 
while on some problems backward checks take as much as 33% of the overall running 
time. Second, at the moment we mostly check constraints for demodulation. The con- 
straints arising from orientation of equalities in superposition account only for less than 
2% of the checks. The vector of development of Vampire points toward much more ex- 
tensive use of ordering constraints. When we implement constraints arising from literal 
maximality conditions both in superposition and ordered resolution, and, possibly, some 
form of inherited constraints (see, e.g., [7]), the relative cost of constraint checking will 
most certainly increase significantly. 
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Check Weight[subi, lab i] cw := sub\{9) 

if cw = (>) return (>) 
if cw = (>) goto lab i 
if cw ^ (= \ return (x) 

RetGreater return (S) 

lab i : 

Straightforward[xo, h(x 1 , * 2 )] c := greater (xo9 , h{x\,X 2 ) 9 ) 

if c = (>) return (S) 
if c (=) return (x) 

Straightforward[x 2 ,x{] c := greater (X 26 , xi9) 

if c = (>) return (>) 
if c ^ (=) return (x) 

RetGreater return (>) 

R := Ixofi 1 ! — 4 
if 7? is constant 

if R < 0 return (>) 
goto lab 2 

instr 2 [x\] L \= —1 + \xid\ 

if compw(L , 7?) = (>) return (>) 

instr3[x2] L := L — 1 + \x20\ 

return compw(L , 7?) 

Iab2 : 

mstr^xi] A := R + 1 — mwgi(xid) 

if A < 0 return (>) 

G := ground(xi9) 

instrs [* 2 ] 

if G and qround(x 29 ) return (=) 
return (>) 

Fig. 3. Compiled check for f(xo,g(h(x 1 , * 2 ), h(x 2 , * 1 )), a) >- f(h(xi,X 2 ),g(xo,Xo), b) 

Apart from adaptive compilation, we have experimented with a light-weight scheme 
where the specialisation strength is always 1 . In this case the improvement is less im- 
pressive: the compiled checks are only about 2.5 times faster than the straightforward 
ones, which suggests that deep specialisation pays off very well. 



if mwgi(x 2 d) > A + 1 return (>) 
if mwgi(x 29 ) < A + 1 return (?) 



subi(O) : 

instr i[xo, —4] 
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Table 2. Experimental results for backward checks 



problem 

selection 


weight 

func. 


time( str) 


time( str) -100% 


total 

time 

per 

prob. 


checks 
per prob., 
10 6 


comp. 

calls 

per prob., 
10 3 


time( comp) 


total time 


all 1132 


uniform 


6.73 


3.5% 


135 sec 


0.57 


10.4 


all 1132 


non-uniform 


6.79 


3.5% 


135 sec 


0.57 


10.3 


113 hardest 


uniform 


8.98 


6.8% 


575 sec 


4.74 


37.7 


113 hardest 


non-uniform 


9.18 


6.9% 


571 sec 


4.52 


37.2 



Another question is how much the auxiliary optimisations based on weight equation 
and term unifier propagation (Section 3.3) add to the improvement obtained by weight 
comparison specialisation and loop/recursion unrolling. A large number of constraints is 
affected by these optimisations: more than 30% of constraints are simplified by weight 
equations and more than 50% are affected by unifier propagation. However, this does 
not translate into any noticeable speed-up in our experiments. 



6 Related and Future Work 

Developers of some other paramodulation-based systems recognise ordering constraint 
checking as one of the performance bottlenecks 4 . However, the problem of empirically 
efficient implementation of constraint checks has not been properly addressed in the lit- 
erature so far. We have found only a couple of relevant references. In [5] the authors ac- 
knowledge the high frequency of constraint checks in problems with many unorientable 
equations and argue that shared rewriting , which is a form of caching for demodulation 
steps, helps to make the problem less prominent by reducing the number of demodulation 
invocations. In [12] the problem is addressed by optimising the comparison procedure 
for Recursive Path Orderings (RPO, for a definition see, e.g., [7]). The implementation 
caches the results of comparisons of subterms of the compared terms in order to avoid 
repeated tests. 

Apart from the standard KBO, in Vampire we use a non-recursive variant of the KBO 
(see [9]), where the lexicographic part does not require comparing subterms with the 
ordering itself. Specialisation of constraint checking for this ordering roughly follows the 
framework presented here and is much simpler. It also generally gives better improvement 
over the straightforward checks: with the non-uniform weight function forward checks 
are nearly 7 times, and backward checks are 21 times faster than the corresponding 
straightforward ones. However, we refrain from a detailed discussion of this ordering in 
this paper since so far it has only been used in Vampire. 

A natural continuation of our work would be to try optimising constraint checking for 
another popular simplification ordering. Lexicographic Path Ordering (for a definition 
see, e.g., [7]). We expect the idea of specialisation with compilation to work well for 
backward checks. A general framework can be formulated on the base of transformation 
of constraints into solved forms as in [6], In the case of forward checks there seems 

4 Stephan Schulz, Bernd Lochner, private communications. 
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to be no obvious light-weight specialised representation of constraints, and solving 
this problem will probably require extensive experimentation with different variants in 
order to find a good balance between the speed of constraint checks and the overhead 
introduced by specialisation. 

We also suspect that a simple adaptive scheme can be used to accelerate forward 
checks with KBO. Constraints checked more frequently should probably be more deeply 
specialised. In extreme cases, full specialisations, as used for backward checks, can be 
stored in a special cache of a limited size. 
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Abstract. The dependency pair approach is one of the most powerful 
techniques for automated (innermost) termination proofs of term rewrite 
systems (TRSs). For any TRS, it generates inequality constraints that 
have to be satisfied by well-founded orders. However, proving innermost 
termination is considerably easier than termination, since the constraints 
for innermost termination are a subset of those for termination. 

We show that surprisingly, the dependency pair approach for termination 
can be improved by only generating the same constraints as for innermost 
termination. In other words, proving full termination becomes virtually 
as easy as proving innermost termination. Our results are based on split- 
ting the termination proof into several modular independent subproofs. 
We implemented our contributions in the automated termination prover 
AProVE and evaluated them on large collections of examples. These ex- 
periments show that our improvements increase the power and efficiency 
of automated termination proving substantially. 



1 Introduction 

Most traditional methods for automated termination proofs of TRSs use simplifi- 
cation orders [7,26], where a term is greater than its proper subterms ( subterm 
property). However, there are numerous important TRSs which are not simply 
terminating , i.e., termination cannot be shown by simplification orders. There- 
fore, the dependency pair approach [2,10,11] was developed which considerably 
increases the class of systems where termination is provable mechanically. 

Example 1 . The following variant of an example from [2] is not simply terminat- 
ing, since quot(x, 0, s(0)) reduces to s(quot(a:, s(0),s(0))) in which it is embed- 
ded. Here, div(x, y) computes for x, y € IN if y 0. The auxiliary function 

quot(:r, y, z) computes 1 + if x > y and z 0 and it computes 0 if x < y. 

div(0, y) — >■ 0 (1) quot(0,s(y),z) -A 0 (3) 

div(cc,y) -A quot(a;,y,y) (2) quot(s(z), s(y), z) -A quot(®, y, z) (4) 

quot(x, 0,s(z)) — > s(div(a:,s( 2 ))) (5) 

In Sect. 2, we recapitulate dependency pairs. Sect. 3 proves that for termina- 
tion, it suffices to require only the same constraints as for innermost termination. 



D. Basin and M. Rusinowitch (Eds.): IJCAR 2004, LNAI 3097, pp. 75—90, 2004. 
(c) Springer- Verlag Berlin Heidelberg 2004 
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This result is based on a refinement for termination proofs with dependency 
pairs by Urbain [29], but it improves upon this and related refinements [12,24] 
significantly. In Sect. 4 we show that the new technique of [12] to reduce the 
constraints for innermost termination by integrating the concepts of “argument 
filtering” and “usable rules” can also be adapted for termination proofs. Finally, 
based on the improvements presented before, Sect. 5 introduces a new method 
to remove rules of the TRS which reduces the set of constraints even further. 

In each section, we demonstrate the power of the respective refinement by 
examples where termination can now be shown, while they could not be han- 
dled before. Our results are implemented in the automated termination prover 
AProVE [14]. The experiments in Sect. 6 show that our contributions increase 
power and efficiency on large collections of examples. Thus, our results are also 
helpful for other tools based on dependency pairs ([1], CiME [6], TTT [19]) and we 
conjecture that they can also be used in other recent approaches for termination 
of TRSs [5,9,27] which have several aspects in common with dependency pairs. 

2 Modular Termination Proofs Using Dependency Pairs 

We briefly present the dependency pair approach of Arts & Giesl and refer to 
[2,10,11,12] for refinements and motivations. We assume familiarity with term 
rewriting (see, e.g., [4]). For a TRS TZ over a signature T , the defined symbols V 
are the roots of the left-hand sides of rules and the constructors are C = T \ V. 
We restrict ourselves to finite signatures and TRSs. The infinite set of variables 
is denoted by V and T(fF. V) is the set of all terms over T and V. Let = j/ 1 * | 
/ € V} be a set of tuple symbols, where /** has the same arity as / and we often 
write F for /•*. If t = g(t\, . . . , t m ) with g &T>, we write t# for .. , t m ). 

Definition 2 (Dependency Pair). The set of dependency pairs for a TRS 
TZ is DPfJZ) = {/•* — t $ \ l — » r GTZ, t is a subterm of r with root (f) € V}. 

So the dependency pairs of the TRS in Ex. 1 are 

DIV(a;,y) — > QUOT(a:,y,y) (6) QUOT(s(*),s( I /) ) «) QUOTfoy,*) (7) 

QUOT(:r, 0, s( 2 )) -► DIV(®, s(*)) (8) 

For (innermost) termination, we need the notion of (innermost) chains. Intu- 
itively, a dependency pair corresponds to a (possibly recursive) function call and 
a chain represents possible sequences of calls that can occur during a reduction. 
We always assume that different occurrences of dependency pairs are variable 
disjoint and consider substitutions whose domains may be infinite. Here, 
denotes innermost reductions where one only contracts innermost redexes. 

Definition 3 (Chain). Let V be a set of pairs of terms. A (possibly infinite) 
sequence of pairs s i — > t\, S 2 — > t 2 , ■ ■ ■ from V is a P-chain over the TRS TZ iff 
there is a substitution cr with ti<j — s 2 :+icr for all i. The chain is an innermost 
chain iff ti<r -4-^ s,:+itr and all s,tr are in normal form. An (innermost) chain 
is minimal iff all Si<j and ti<r are (innermost) terminating w.r.t. TZ. 
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To determine which pairs can follow each other in chains, one builds an (in- 
nermost) dependency graph. Its nodes are the dependency pairs and there is an 
arc from s — > t to u — > v iff s — > t, u — > v is an (innermost) chain. Hence, every 
infinite chain corresponds to a cycle in the graph. In Ex. 1 we obtain the following 
graph with the cycles {(7)} and {(6), (7), (8)}. Since it is undecidable whether 
two dependency pairs form an (innermost) chain, for automation one constructs 
estimated graphs containing the real dependency graph (see e.g., [2,1 s ]). 1 




Theorem 4 (Termination Criterion [2]). A TRS 1 Z is (innermost) termi- 
nating iff for every cycle V of the (innermost) dependency graph, there is no 
infinite minimal (innermost) V-chain over 1 Z. 

To automate Thm. 4, for each cycle one generates constraints which should be 
satisfied by a reduction pair (£3, >-) where £3 is reflexive, transitive, monotonic 
and stable (closed under contexts and substitutions) and >- is a stable well- 
founded order compatible with >3 (i.e., £3 o >- C f- and >- o >3 C >-). But >- need 
not be monotonic. The constraints ensure that at least one dependency pair is 
strictly decreasing (w.r.t. >-) and all remaining pairs and all rules are weakly 
decreasing (w.r.t. ^3). Requiring l ^3 r for all l — > r £ 7 Z ensures that in chains 
si —> ti,S2 t2 , ... with ti<j — Si+ icr, we have f a ^3 Si+icr. For innermost 

termination, a weak decrease is not required for all rules but only for the usable 
rules. They are a superset of those rules that can reduce right-hand sides of 
dependency pairs if their variables are instantiated with normal forms. 

Definition 5 (Usable Rules). For T' C T U Rf let Rls(R') = {l — > r £ 1 Z \ 
root(Z) € T’}. For any term t, the usable rules are the smallest set such that 

• U ( x ) = 0 for x € V and 

• W(/(ti,... ,t n )) = Rls({f}) U U i^risH/d^W U U"=i u {tj)- 

For any set V of dependency pairs, we define U( V) = (J s ^. te p U(t). 

For the automated generation of reduction pairs, one uses standard (mono- 
tonic) simplification orders. To build non-monotonic orders from simplification 
orders, one may drop function symbols and function arguments by an argument 
filtering [2] (we use the notation of [22]). 

1 Estimated dependency graphs may contain an additional arc from (6) to (8). How- 
ever, if one uses the refinement of instantiating dependency pairs [10,12], then all 
existing estimation techniques would detect that this arc is unnecessary. 
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Definition 6 (Argument Filtering). An argument filtering n for a signature 
T maps every n-ary function symbol to an argument position i € (1, ... ,n} or 
to a (possibly empty) list [ii, ... ,ik] with 1 < i\ < . . . < i k < n. The signature 
T v consists of all symbols f with it (/) = [?'i, . . . , i k ], where in T % , f has arity 
k. An argument filtering with 7 r(/) = i for some f € T is collapsing. Every 
argument filtering n induces a mapping from T(T, V) to T{T V , V), also denoted 
by it: 

{ t if t is a variable 

tt(U) ift = f(t 1 ,...,t n ) andir(f)=i 

fWft-h), ...,7r(f;J) ift = f(t 1 ,...,t n ) andir(f) = [h,...,i k } 

For a TRS 77, ir(7Z) denotes {7r(Z) — > n (r) | 77}. 

For an argument filtering it and reduction pair (£, ^), (£„., >-.„.) is the reduc- 
tion pair with s t iff 7r(s) £3 7r(t) and s t iff 7r(s) >- 7r (t). Let = >3 U >- 
and ( ^; )7r = U In the following, we always regard filterings for TAT*. 

Theorem 7 (Modular (Innermost) Termination Proofs [11]). A TRS1Z 

is terminating iff for every cycle V of the dependency graph there is a reduction 
pair (£, >~) and an argument filtering 7 r such that both 

(a) f or pairs s -A t £ V and s ^ t for at least one s — ► t £ V 

(b) l (a-k t for all rules l — > r £ 1Z 

1Z is innermost terminating if for every cycle V of the innermost dependency 
graph there is a reduction pair (£, >~) and an argument filtering it satisfying both 
(a) and 

( c ) I'tZir r f or all rules l r G U(T) 

Thm. 7 permits modular 2 proofs, since one can use different filterings and 
reduction pairs for different cycles. This is inevitable to handle large programs 
in practice. See [12,18] for techniques to automate Thm. 7 efficiently. 

Innermost termination implies termination for locally confluent overlay sys- 
tems and thus, for non-overlapping TRSs [17]. So for such TRSs one should only 
prove innermost termination, since the constraints for innermost termination are 
a subset of the constraints for termination. However, the TRS of Ex. 1 is not 
locally confluent: div(0,0) reduces to the normal forms 0 and quot(0, 0, 0). 

2 In this paper, “modularity” means that one can split up the termination proof of a 
TRS 7Z into several independent subproofs. However, “modularity” can also mean 
that one would like to split a TRS into subsystems and prove their termination more 
or less independently. For innermost termination, Thm. 7 also permits such forms of 
modularity. For example, if 77 is a hierarchical combination of 77i and 77.2, we have 
ld(P) C 77i for every cycle V of 77i-dependency pairs. Thus, one can prove innermost 
termination of 77i independently of 772- Thm. 11 and its improvements will show 
that similar modular proofs are also possible for termination instead of innermost 
termination. Then for hierarchical combinations, termination of 77i can be proved 
independently of 772, provided one uses an estimation of the dependency graph where 
no further cycles of 77i-dependency pairs are introduced if 77i is extended by 772- 
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Example 8. An automated termination proof of Ex. 1 is virtually impossible 
with Thm. 7. We get the constraints QUOT(s(x),s(y), z) QUOT(:r, y, z) 
and l ^ r for all l — > r £ 1Z from the cycle {(7)}. However, they can- 
not be solved by a reduction pair (£3, >-) where £3 is a quasi-simplification 
order: For t = quot(x, 0, s(0)) we have t s(quot(ay s(0), s(0))) by rules (5) 
and (2). Moreover, s(quot(x, s(0), s(0))) ^ s (t) by the subterm property, since 
QUOT(s(a:),s(y), 2 :) ^ QUOT(x, y, z) implies 7r(s) = [1]. But t s(f) implies 
QUOT(s(f), s(t), z) ^ QUOT (t,t,z) £3^ QUOT(s(t),s(t), z) which contradicts 
the well-foundedness of 

In contrast, innermost termination of Ex. 1 can easily be proved. There are 
no usable rules because the dependency pairs have no defined symbols in their 
right-hand sides. Hence, with a filtering 7t(QUOT) = 7t(DIV) = 1, the constraints 
for innermost termination are satisfied by the embedding order. 

Our goal is to modify the technique for termination such that its constraints 
become as simple as the ones for innermost termination. As observed in [29], the 
following definition is useful to weaken the constraint (b) for termination. 

Definition 9 ( C £ [16]). The TRS C e is defined as {c (x,y) — > x,c (x,y) — > y} 
where c is a new function symbol. A TRS 1Z is C £ -terminating iff 1Z U C e is 
terminating. A relation £3 is C £ -compatible 3 iff c(x,y) £3 x and c (x,y) £3 y. A 
reduction pair (£, >~) is C £ -compatible iff ^3 is C e - compatible. 

The TRS 7Z = {f(0, l,x) — > f(x,x,x)} of Toyama [28] is terminating, but 
not C £ -terminating, since TZLiC e admits the infinite reduction f (0, 1, c(0, 1)) —> 
f(c(0, 1), c(0, 1), c(0, 1)) — > 2 f (0, 1, c(0, 1)) — > This example shows that re- 

quiring l ^ r only for usable rules is not sufficient for termination: 1Z U C £ ’s 
only cycle {F(0, l,x) —> F(x, x, x)} has no usable rules and there is a reduction 
pair (^3,^) satisfying the constraint (a). 4 So 7ZUC S is innermost terminating, 
but not terminating, since we cannot satisfy both (a) and l ^3 r for the C £ -rules. 

So a reduction of the constraints in (b) is impossible in general, but it is 
possible if we restrict ourselves to C £ -compatible reduction pairs. This restriction 
is not severe, since virtually all reduction pairs used in practice (based on LPO 
[20], RPOS [7], KBO [21], or polynomial orders 5 [23]) are C £ -compatible. 

The first step in this direction was taken by Urbain [29] . He showed that in a 
hierarchy of C £ -terminating TRSs, one can disregard all rules occurring “later” in 
the hierarchy when proving termination. Hence, when showing the termination 
of functions which call div or quot, one has to require l r for the div- and 
quot-rules. But if one regards functions which do not depend on div or quot, then 
one does not have to take the div- and quot-rules into account in constraint (b). 

But due to the restriction to C £ -termination, [29] could not use the full power 
of dependency graphs. For example, recent dependency graph estimations [18] 
detect that the dependency graph for Toyama’s TRS 1Z has no cycle and thus, it 
is terminating. But since it is not C £ -terminating, it cannot be handled by [29]. 

3 Instead of “C £ -compatibility” , [29] uses the corresponding notion u 7r extendibility” . 

4 For example, it is satisfied by the reduction pair tzu dp ( n))- 

5 Any polynomial order can be extended to the symbol c such that it is C £ -compatible. 
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In [12], we integrated the approach of [29] with (arbitrary estimations of) 
dependency graphs, by restricting ourselves to C £ -compatible reduction pairs in- 
stead of Ce-terminating TRSs. This combines the advantages of both approaches, 
since now one only regards those rules in (b) that the current cycle depends on. 

Definition 10 (Dependence). Let 77 be a TRS. For two symbols f and g we 
say that f depends on g (denoted f Hq g) iff g occurs in an f-rule oflZ (i.e., in 
Rls({f}) ). Moreover, every tuple symbol f$ depends on f . A cycle of dependency 
pairs V depends on all symbols occurring in its dependency pairs. 6 We write □[}" 
for the transitive closure of To- For every cycle V we define Aq(V,TZ) = {/ | 
V □o' /}. If V and 77 are clear from the context we just write Aq or Z\o(P). 

In Ex. 1, we have div To quot, quot □o div, and each defined symbol depends 
on itself. As QUOT □□ quot □o div, Aq contains quot and div for both cycles V. 

The next theorem shows that it suffices to require a weak decrease only for the 
rules that the cycle depends on. It improves upon Thm. 7 since the constraints 
of type (b) are reduced significantly. Thus, it becomes easier to find a reduction 
pair satisfying the resulting constraints. This increases both efficiency and power. 
For instance, termination of a well-known example of [25] to compute intervals 
of natural numbers cannot be shown with Thm. 7 and a reduction pair based 
on simplification orders, while a proof with Thm. 11 and LPO is easy [12]. 

Theorem 11 (Improved Modular Termination, Version 0 [12]). A TRS 

1Z is terminating if for every cycle V of the dependency graph there is a C e - 
compatible reduction pair (£;, >~) and an argument filtering n satisfying both 
constraint Thm. 7 (a) and 

(b) l (Zir r f or rules l — >• r € Rls(A 0 (V, IZj) 

Proof. The proof is based on the following key observation [29, Lemma 2]: 

Every minimal P-chain over 77. is a P-chain over RIs(Aq(V ,77)) UC £ . (9) 

For the proof of Thm. 11, by Thm. 4 we have to show absence of minimal infinite 
P-chains si — ► t\, S 2 -* £ 2 , • • • over 77. By (9), such a chain is also a chain over 
Rls(A 0 (V ,77)) UC e . Hence, there is a substitution a with tiO —t^xslAolv n))u c 
Si + 1<7 for all i. We extend tt to c by 7r(c) = [1, 2]. So (^-compatibility of £ implies 
(^-compatibility of By (b) we have Lcr for all i as is stable and 

monotonic. Using (a) and stability of leads to s.j(j tia for infinitely many 
i and sia La for all remaining i contradicting ^’s well-foundedness. □ 

The proof shows that Thm. 11 only relies on observation (9). When refining 
the definition of Aq in the next section, we only have to prove that (9) still holds. 



The symbol “□0” is overloaded to denote both the dependence between function 
symbols (/ Do g) and between cycles and function symbols (P Do /)• 
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3 No Dependences for Tuple Symbols and Left-Hand 
Sides 

Thm. 11 reduces the constraints for termination considerably. However for Ex. 1, 
the constraints according to Thm. 11 are the same as with Thm. 7. The reason 
is that both cycles V depend on quot and div and therefore, Rls(A 0 (V)) = 7 Z. 
Hence, as shown in Ex. 8, an automated termination proof is virtually impossible. 

To solve this problem, we improve the notion of “dependence” by dropping 
the condition that every tuple symbol /** depends on /. Then the cycles in Ex. 1 
do not depend on any defined function symbol anymore, since they contain no 
defined symbols. When modifying the definition of Aq{V) in this way in Thm. 11, 
we obtain no constraints of type (b) for Ex. 1, since RIs(Aq(V)) = 0. So now 
the constraints for termination of this example are the same as for innermost 
termination and the proof succeeds with the embedding order, cf. Ex. 8. 7 

Now the only difference between U(P) and Rls(A 0 (V)) is that in Rls(A 0 (V)), 
f also depends on g if g occurs in the left-hand side of an /-rule. Similarly, V 
also depends on g if g occurs in the left-hand side of a dependency pair from 
V . The following example shows that disregarding dependences from left-hand 
sides (as in U(V)) can be necessary for the success of the termination proof. 

Example 12. We extend the TRS for division from Ex. 1 by the following rules. 

plus(x, 0) — >■ x times(0, y) — >■ 0 

plus(0, y) y times(s(0), y) y 

plus(s {x),y) — >■ s(plus(x, y)) div(div(x, y), z) — I div(x,times(y, z)) 

Even when disregarding dependences /** Do /, the constraints of Thm. 11 for 
this TRS are not satisfiable by reduction pairs based on RPOS, KBO, or polyno- 
mial orders: Any cycle containing the new dependency pair DIV(div(x, y), z) — > 
DIV(x, times(y, z)) would depend on both div and times and thus, all rules of the 
TRS would have to be weakly decreasing. Weak decrease of plus and times implies 
that one has to use an argument filtering with s(x) x. But since t s(f) for 
the term t = quot(x, 0, s(0)) as shown in Ex. 8, this gives a contradiction. 

Cycles with DIV(div(x, y),z)—> DIV(x, times(y, z)) only depend on div because 
it occurs in the left-hand side. This motivates the following refinement of Zlo- 

Definition 13 (Refined Dependence, Version 1). For two function symbols 
f and g, the refined dependence relation Zb is defined as f Zb g iff g occurs in 
the right-hand side of an f-rule and a cycle V depends on all symbols in the 
right-hand sides of its dependency pairs. Again, A 1 ('P,1Z) = {/ | V Z^ /}. 

With Def. 13, the constraints of Thm. 11 are the same as in the innermost 
case: U{ V) = Rls(Ai(V)) and termination of Ex. 12 can be proved using LPO. 

To show that one may indeed regard Ai(V) instead of Aq(T) in Thm. 11, we 
prove an adapted version of (9) with Ai instead of Aq. As in the proofs for A (J 

' If an estimated dependency graph has the additional cycle {(6), (8)}, here one may 
use an LPO with 7 t(DIV) = 7r(QUOT) = 2 , n(s) = [], and the precedence 0 > s. 
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in [24,29] and in the original proofs of Gramlich [16], we map any ^-reduction 
to a reduction w.r.t. Rls(Ai) U C e . However, our mapping Xi is a modification 
of these earlier mappings, since terms g(ti,... ,t n ) with g (f A\ are treated 
differently. Fig. 1 illustrates that by this mapping, every minimal chain over 1Z 
corresponds to a chain over Rls(Ai) U C e , but instead of the substitution er one 
uses a different substitution I\ (a). Thus, the observation (9) also holds for A\ 
instead of A 0 . 



■ tier 
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II 

%CF - 
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chain over 
Rls(Ai) U C £ 



Fig. 1. Transformation of chains 



Intuitively, I\(t) “collects” all terms that t can be reduced to. However, we 
only regard reductions on or below symbols that are not from A\. Normal forms 
whose roots are not from A\ may be replaced by a fresh variable. To represent a 
collection t \, , , . ,t n of terms by just one term, one uses c(£i, c(t 2 > •••c (t n , x)...)). 

Definition 14. Let A C and let t, e . V) be a terminating term. 

We define I\ (t): 

1\ (x) = x for x £ V 

Ii(/(£i,. = /(2i(fi),...,2:i(f n )) for f € A 

Zi{g(ti, ...,£„)) = Comp({g(Xi(ti), ...,Ti (£„))} ...,£„))) for g ^ A 

where lZed\{t) = {X\ (t') \ t — t'}. Moreover , Comp({t} tt) M ) = c (t,Comp(M)) 
and Comp(0) = x new , where x new is a fresh variable. To ensure that Comp is 
well-defined we assume that in the recursive definition of Comp ({t} tt) M), t is 
smaller than all terms in M due to some total well-founded order > 7 - on terms. 

For every terminating substitution a (i.e., a(x) is terminating for all x € V), 
we define the substitution Xi (a) as Ii (a) ( x ) = Xi(a(x)) for all x € V. 

Note that Def. 14 is only possible for terminating terms t, since otherwise, 
X\(t) could be infinite. Before we can show that Thm. 11 can be adapted to the 
refined definition Ai, we need some additional properties of Comp and X\. In 
contrast to the corresponding lemmas in [24,29], they demonstrate that the rules 
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of Aq \ A\ are not needed and we show in Lemma 16 (ii) and (iii) how to handle 
dependency pairs and rules where the left-hand side is not from T(Ai, V ). 8 

Lemma 15 (Properties of Comp). If t € M then Cornp(M) — t. 

Proof. For t\ < 7 - • • • < 7 - t n and any 1 < i < n we have Comp({ti, . . . , t n }) = 
c(ti) • • • c(ti, . . . c(t n , x) c(ti,...c(t n ,x)...) -> Ce U . □ 

Lemma 16 (Properties of I\). Let A C T U where f € A and f Zh g 
implies g € A. Lett,s,tcr £ T(fF U IF* ,V) be terminating terms and let a be a 
terminating substitution. 

(i) Ifte T(A,V) then X\{ta) = t Xi{o) . 

(ii) Xi(ta) — tX\(a). 

(iii) If t — s by a root reduction step where l — > r £ 1Z and root(Z) £ A, 
then Zi (t) -i|^ r}uCe X\(s). 

(iv) If t s with root(t) ^ A, then X\ (t) — X\ (s). 

( v ) If t — s where l — > r £ 1Z, 

thenXi(t) Zi(s) if root(l) £ A and Xi(t) — Zi(s) otherwise. 

Proof. 

(i) The proof is a straightforward structural induction on t. 

(ii) The proof is by structural induction on t. The only interesting case is t = 
g(ti, . . . ,t n ) where g (f A. Then we obtain 

Xi(g(ti, ..., t n )(j ) = Comp({g(h(tio), ...,h {t„o))} U Uedi(g(tio, . . . ,t n o))) 
~^C e ...,Zi(t n <j)) by Lemma 15 

-d >c e g(tiXi(a), . . . ,t n Xi(a)) by induction hypothesis 
= ■ ■ ,t n )Xi(a) 

(iii) We have t = la -P-jz ra = s. By the definition of Zfi, r is a term of T(A, V). 

Using (ii) and (i) we get X\{la) — >(• IXi(a) rZi(cr) = I\(ra). 

(iv) follows by Xi(t) = Comp({. . . }UlZedi(t)), X\ (s) £ 1Zedi(t), and Lemma 15. 

(v) We do induction on the position p of the redex. If root(f) ^ A, we use 

(iv). If root(f) £ A and p is the root position, we apply (iii). Otherwise, p 
is below the root, t = f{ti,...,U,...,t n ), s = f(ti,...,8i,...,t n ), f £ A, 
and ti Si . Then the claim follows from the induction hypothesis. □ 

Now we show that in Thm. 11 one may replace A Q by A- t . 

Theorem 17 (Improved Modular Termination, Version 1). A TRS1Z is 

terminating if for every cycle V of the dependency graph there is a C e -compatible 
reduction pair (£,>-) and an argument filtering n satisfying both constraint 
Thm. 7 (a) and 

(b) l (z-k f for all rules l — »• r £ Rls(Ai(fP,lZ)) 



Here, equalities in the lemmas of [24,29] are replaced by C e -steps. This is possible 
by including the term g(T\(ti), . . . ,T\(t n )) in the definition of . ..,!„)). 
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Proof. The proof is as for Thm. 11, but instead of (9) one uses this observation: 

Every minimal 'P-chain over 7Z is a P-chain over Rls(Ai(V ,7V)) U C e . (10) 

To prove (10), let si — > t\,S 2 — > t 2 , ■ ■ ■ be a minimal P-chain over 1Z. Hence, 
there is a substitution a such that Ucr Si+icr and all terms Sj(T and tier are 
terminating. This enables us to apply I\ to both t,cr and Sj(j (where we choose A 
to be A 1 (fP ,7Z)). Using Lemma 16 (v) we obtain 2/ (f,cr) -^* R i s ( Al )\jc e ^-i( s i+ i<t). 

Moreover, by the definition of Zli, all C are terms over the signature A\. Thus, 
by Lemma 16 (i) and (ii) we get Ul^a) = Ii(Lcr) -^* Rls ( Al ) UCe ^( s i+ i CT ) ~^c e 
Xi (ct ) stating that Si — > ti, S 2 — > t 2 , ■ ■ ■ is also a chain over Rls(A 1 )VJC e . □ 



4 Dependences with Respect to Argument Filterings 



For innermost termination, one may first apply the argument filtering 7r and de- 
termine the usable rules U(V, n) afterwards, cf. [12]. The advantage is that the 
argument filtering may eliminate some symbols / from right-hand sides of de- 
pendency pairs and rules. Then, the /-rules do not have to be weakly decreasing 
anymore. We also presented an algorithm to determine suitable argument filter- 
ings, which is non-trivial since the filtering determines the resulting constraints. 

We now introduce a corresponding improvement for termination by defining 
“dependence” w.r.t. an argument filtering. Then a cycle only depends on those 
symbols that are not dropped by the filtering. However, this approach is only 
sound for non-collapsing argument filterings. Consider the non-terminating TRS 



f(s(a:)) — > f(double(a:)) double(O) — >• 0 double(s(a;)) — > s(s(double(a:))) 

In the cycle {F(s(cc)) —> F(double(a;))}, the filtering 7r(double) = 1 results in 
{F(s(x)) — > F(x)}. Since the filtered pair has no defined symbols, we would 
conclude that no rule must be weakly decreasing for this cycle. But then we can 
solve the cycle’s only constraint F(s(x)) >- F(x) and falsely prove termination. 

Example 18. We extend the TRS of Ex. 12 by rules for prime numbers. 



prime(s(s(x))) — > pr(s(s(x)),s(x)) 
eq(0, 0) — > true 
eq(s(x), 0) —> false 
eq(0, s (y)) false 

eq(s(x),s (y)) -> eq(x,y) 



pr(x,s(0)) —> true 

pr(x, s(s(y))) -)■ if(divides(s(s(y)), x), x, s(y)) 
if (true, x, y) — > false 
if (false, x, y) -> pr (x,y) 
divides(y, x) —> eq(x, times(div(x, y), y)) 



The cycle {PR(x, s(s(y))) —> IF(divides(s(s(y)),x),x,s(y)), I F (false, x, y) -4 PR(x, 
y)} depends on divides and hence, on div and times. So for this cycle, Thm. 17 

9 Essentially, we prove absence of infinite 7r('P)-chains over n(TZ). But if 7r is collapsing, 
then the rules of tt(1 Z) may have left-hand sides l with root(l) £ C or l £ V. Thus, 
inspecting the defined symbols in a term n(t) is not sufficient to estimate which rules 
may be used for the 7r(77)-reduction of n(t). 
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requires the div- and times-rules to be weakly decreasing. This is impossible with 
reduction pairs based on RPOS, KBO, or polynomial orders, cf. Ex. 12. 

But if we first use the filtering 7 t(IF) = [2,3] and compute dependences after- 
wards, then the cycle no longer depends on divides, div, or times. If one modifies 
“dependence” in this way, then the constraints can again be solved by LPO. 

Definition 19 (Refined Dependence, Version 2). Lein be a non- collapsing 
argument filtering. For two function symbols f and g we define f <7 iff there 
is a rule l — I r £ Rls({f}) where g occurs in tt (r). For a cycle of dependency 
pairs V, we define V O2 g iff there is a pair s — I t £ V where g occurs in tt (t). 
We define A 2 ((P ,TZ,tt) = {/ | V M /} and omit V, IZ, tt if they are clear from 
the context. 

To show that A\ may be replaced by Z \2 in Tlnn.17, we define a new mapping 12- 

Definition 20. Let tt be a non-collapsing argument filtering, ACT U^, i£ 
T(TCT^ , V) be terminating. We defineT^if). Here, IZed 2 (t) = {X 2 (t') \t — >-ji t'}. 

I 2 (x) = x for x € V 

l 2 (f(ti,... ,t n )) = f(X 2 (t il ), . . . ,X 2 (t ik )) for f £ A, T r(/) = [zi, i fc ] 

X 2 (g(ti, . . ,,t n )) = Comp( {g(X 2 (t il ), . . . 

U lZed 2 (g(ti, . . . ,t n )) ) for g$ A, 7 v(g) = [i u ...,i k \ 

Lemma 21 differs from the earlier Lemma 16, since X 2 already applies the 
argument filtering 7r and in (v), we have instead of as a reduction on 
a position that is filtered away leads to the same transformed terms w.r.t. X 2 . 

Lemma 21 (Properties of I 2 ). Let tt be a non-collapsing argument filtering 
and let A C T U T* such that f C A and f a 2 g implies g C A. Let t, s, ta £ 
T(T U T\V) be terminating and let a be a terminating substitution. 

(i) If n(t) cT(Ax,V) then I 2 (ta) = it ( t) 12 (a). 

(ii) X 2 (ta) Tr(t)X 2 (a). 

(Hi) If t — s by a root reduction step where l — > r € IZ and root(Z) £ A, 
then I 2 (t) ^ n{l) ^ {r)}uCe Ms)- 

(iv) If t —> 1 z s with root(t) ^ A, then X 2 (t) — X 2 (s). 

(v) If t — s where l — > r € IZ, then 

X 2 (t) -^■{ 7r (/)^. OT ( r )}uc e M s ) if root(Z) £ A and X 2 (t) -+* Ce M s ) otherwise. 

Proof. The proof is analogous to the proof of Lemma 16. □ 

We are restricted to non-collapsing filterings when determining the rules that 
have to be weakly decreasing. But one can still use arbitrary (possibly collapsing) 
filterings in the dependency pair approach. For every filtering 7r we define its 
non-collapsing variant tt' as tt' (f) = 7 r(/) if 7 r(/) = [i\, . . . ,i k ] and n'(f) = [i] 
if 7 r(/) = i. Now we show that in Thm. 17 one may replace A\ by Z\ 2 - 

Theorem 22 (Improved Modular Termination, Version 2). A TRS1Z is 

terminating if for every cycle V of the dependency graph there is a C £ -compatible 
reduction pair (£,>-) and an argument filtering tt satisfying both constraint 
Thm. 7 (a) and 
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(b) l ^Z n r for l r € Rls(A 2 (fP ,7 Z,tt')) , where tt' is it's non-collapsing variant 
Proof. Instead of (10), now we need the following main observation for the proof. 



If Si ti,S 2 —> t 2 , ■ ■ ■ is a minimal P-chain over 1Z, then 7r'(si) — > 
7r / (£ 1 ) , 7t / (s 2 ) Tr'(t 2 ),... is a 7r'(P)-chain over tt' {Rls{A 2 {V , TZ, 7r')))UC £ . 



( 11 ) 



Similar to the proof of (10), Ucr — s*+ i<r implies that tt' { ti)I 2 {a) = X 2 (t* cr) 
-^n’(Ris(A 2 ))L)C £ Msi+icr) (s i+1 ) l 2 (a) by Lemma 21 (i), (v), and (ii), 

which proves (11). 

To show that (11) implies Tlnn. 22, assume that si —> ti,s 2 — > t 2 ,... is a 
minimal infinite P-cliain over TZ. Then by (11) there is a substitution 6 (X 2 (cr) 
from above) with tt '{tf) 6 —>n'(Rls(A 2 ))uC e n '( s i+ 1 ) ^ l° r all *■ Let 7r " be the argu- 
ment filtering for the signature T U T\i which only performs the collapsing steps 
of 7T (i.e., if 7 r(/) = i and thus n'(f) = [i], we have 7 r"(/) = 1). All other symbols 
of U T\, are not filtered by 7 r". Hence, 7 r = tt" o it' . We extend tt" to the 
new symbol c by defining 7r"(c) = [1,2]. Hence, (^-compatibility of fz implies C e - 
compatibility of Constraint (b) requires 7 r(Z) fz 7r(r) for all rules of Rls{A 2 ). 
Therefore, we have tt'(1 ) fz*" and thus, all rules of tt'{RIs(A 2 )) U C e are 

decreasing w.r.t. £>"• This implies n'(ti) S fz*" ^(si+i) 5 for all i. Moreover, (a) 
implies ir'(si) S tt '(tf) S for infinitely many i and tt'(si) S fz^" 7r '(tf) S for all 

remaining i. This contradicts the well-foundedness of □ 



Now we are nearly as powerful as for innermost termination. The only differ- 
ence between A 2 (V,TZ,tt) and U(V,tt) is that U(T,tt) may disregard subterms 
of right-hand sides of dependency pairs if they also occur on the left-hand side 
[12], since they are instantiated to normal forms in innermost chains. But for 
the special case of constructor systems, the left-hand sides of dependency pairs 
are constructor terms and thus A 2 (P,TZ,tt) = U(V,tt). The other differences 
between termination and innermost termination are that the innermost depen- 
dency graph is a subgraph of the dependency graph and may have fewer cycles. 
Moreover, the conditions for applying dependency pair transformations by nar- 
rowing, rewriting, or instantiation [2,10,12] are less restrictive for innermost ter- 
mination. Finally for termination, we use C £ -compatible reduction pairs, which 
is not necessary for innermost termination. However, virtually all reduction pairs 
used in practice are C £ -compatible. So in general, innermost termination is still 
easier to prove than termination, but the difference has become much smaller. 



5 Removing Rules 

To reduce the constraints for termination proofs even further, in this section 
we present a technique to remove rules of the TRS that are not relevant for 
termination. To this end, the constraints for a cycle V may be pre-processed 
with a reduction pair (£,>-). If all dependency pairs of V and all rules that 
V depends on are at least weakly decreasing (w.r.t. £ 3 ), then one may remove 
all those rules TZy that are strictly decreasing (w.r.t. >-). So instead of proving 
absence of infinite P-chains over TZ one only has to regard P-chains over TZ\TZy. 
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In contrast to related approaches to remove rules [15,23,30], we permit arbi- 
trary reduction pairs and remove rules in the modular framework of dependency 
pairs instead of pre-processing a full TRS. So when removing rules for a cycle V , 
we only have to regard the rules V depends on. Moreover, removing rules can be 
done repeatedly with different reduction pairs (£ 3 , >-). Thm. 23 can also be adap- 
ted for innermost termination proofs with similar advantages as for termination. 

Theorem 23 (Modular Removal of Rules). Let V be a set of pairs, TZ be a 
TRS, and (£,>~) be a reduction pair where >- is monotonic and C e - compatible. 
If l f or all l r £ Rls(A 1 ['P,TZ)) and s for all s t € V then the 
absence of minimal infinite V -chains over TZ\TZy implies the absence of minimal 
infinite V -chains over 7 Z where TZy — {l — » r £ Rls{Ai{V ,TZ)) \ l >- r}. 10 

Proof. Let si — > ti, S 2 — > < 2 ; ■ • • be an infinite minimal 'P-chain over 7 Z. Hence, 
ti<j — Si+icr. We show that in these reductions, TZy -rules are only applied 
for finitely many i. So Lcr — i<r for all i > n for some n £ IN. Thus, 
s n —> t n ,s n + 1 —> t n + 1,... is a minimal infinite P-chain over TZ\TZy which 
proves Thm. 23. 

Assume that P^-rules are applied for infinitely many i. By Lemma 16 (v) 
we get I\ (tier) ~^* R i s ( Al ) UCe Ti{s i+1 a). As >- is C £ -compatible and ->m s (z ip C 
( ^ 3 j, we have Ii(Lcr) ( ^ ) Ii(si+icr). Moreover, whenever an P^-rule is used in 
ti<j — Si+icr, then by Lemma 16 (v), the same rule or at least one C £ -rule is 
used in the reduction from Zi(tjcr) to Xi(sj+icr). (This would not hold for I 2 , cf. 
Lemma 21 (v).) Thus, then we have Ii(t,cr) >- Xi(sj + icr) since >- is monotonic. 
As P^-reductions are used for infinitely many i, we have T\ (Ua) >- Ii(s,+icr) 
for infinitely many i. Using Lemma 16 (ii), (i), and s for all pairs in V , we 
obtain Xi(si<r) — >c e i(cr) (La). By C £ -compatibility of >-, we 

get Ii(sicr) ( £ } X i(Ua) for all i. This contradicts the well-foundedness of >-. □ 

Rule removal has three benefits. First, the rules TZy do not have to be weakly 
decreasing anymore after the removal. Second, the rules that TZy depends on do 
not necessarily have to be weakly decreasing anymore either. More precisely, 
since we only regard chains over 1Z \ TZy, only the rules in A\{fP ,TZ \ TZy) or 
A^ifP , TZ \ TZy , . . . ) must be weakly decreasing. And third, it can happen that V 
is not a cycle anymore. Then no constraints at all have to be built for V. More 
precisely, we can delete all edges in the dependency graph between pairs s — > t 
and u — > v of V where s — > t, u — > v is an P-chain, but not an TZ \ P^-chain. 

Example We extend the TRS of Ex. 18 by the following rules. 

p(s(x)) ->■ x plus(s(a:), y) -s- s(plus(p(s(z)), y)) plus(x, s{y)) s(plus(x, p(s(j/)))) 

10 Using A 2 instead of A\ makes Thm. 23 unsound. Consider {f(a, b) — > f(a, a), a —¥ b}. 
With 7 t(F) = [1], an LPO-reduction pair makes the filtered dependency pair weakly 
decreasing and the rule strictly decreasing (F(a) ^3 F(a) and a >- b). But then Thm. 
23 would state that we can remove the rule and only prove absence of infinite chains 
of F(a, b) — ¥ F(a, a) over the empty TRS. Then we could falsely prove termination. 
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For the cycle {PLUS(s(a;), y) PLUS(p(s(a;)), j/), PLUS(a;, s(j/)) — > PLUS(a:, 
p(s(y)))} there is no argument filtering and reduction pair (£,>-) with a quasi- 
simplification order ^ satisfying the constraints of Tlrm. 22. The reason is that 
due to p’s rule, the filtering cannot drop the argument of p. So 7r(PUJS(p(s 0)), 
y)) £ 7r(PLUS(s(a;), y)) and 7r(PLUS(x, p(s(y)))) ^ 7r(PLUS(a;, s(j/))) hold for 
any quasi-simplification order £3. Furthermore, the transformation technique of 
“narrowing dependency pairs” [2,10,12] is not applicable, since the right-hand 
side of each dependency pair above unifies with the left-hand side of the other 
dependency pair. Therefore, automated tools based on dependency pairs fail. 

In contrast, by Thm. 23 and a reduction pair with the polynomial interpreta- 
tion 'Pol(PLllS(a:, y)) = x+y , Vol(s(x )) = x+1, Vol(p(x)) = x , p’s rule is strictly 
decreasing and can be removed. Then, p is a constructor. If one uses the technique 
of “instantiating dependency pairs” [10,12], for this cycle the second dependency 
pair can be replaced by PLUS(p(s(x)),s(y)) —> PLUS(p(s(a;)), p(s(y))). Now the 
two pairs form no cycle anymore and thus, no constraints at all are generated. 

If we also add the rule p(0) 0, then again p(s(a;)) —> x can be removed by 

Thm. 23 but p does not become a constructor and we cannot delete the whole 
cycle. Still, the resulting constraints are satisfied by an argument filtering with 
7t(PLUS) = [1,2], 7r(s) = 7r(p) = [] and an LPO with the precedence s > p > 0. 

Note that here, it is essential that Thm. 23 only requires l £3 r for rules l —> r 
that V depends on. In contrast, previous techniques [15,23,30] would demand 
that all rules including the ones for div and times would have to be at least 
weakly decreasing. As shown in Ex. 12, this is impossible with standard orders. 

To automate Thm. 23, we use reduction pairs (£3, >-) based on linear polyno- 
mial interpretations with coefficients from {0, 1}. Since >- must be monotonic, 
n-ary function symbols can only be mapped to Y^i=x Xi or to 1 + x i- Thus, 
there are only two possible interpretations resulting in a small search space. 
Moreover, polynomial orders can solve constraints where one inequality must be 
strictly decreasing and all others must be weakly decreasing in just one search 
attempt without backtracking [13]. In this way, Thm. 23 can be applied very 
efficiently. Since removing rules never complicates termination proofs, Thm. 23 
should be applied repeatedly as long as some rule is deleted in each application. 

Note that whenever a dependency pair (instead of a rule) is strictly decreas- 
ing, one has solved the constraints of Thm. 17 and can delete the cycle. Thus, 
one should not distinguish between rule- and dependency pair-constraints when 
applying Thm. 23 and just search for a strict decrease in any of the constraints. 



6 Conclusion and Empirical Results 

We presented new results to reduce the constraints for termination proofs with 
dependency pairs substantially. By Sect. 3 and 4, it suffices to require weak de- 
crease of the dependent rules, which correspond to the usable rules regarded for 
innermost termination. So surprisingly, the constraints for termination and in- 
nermost termination are (almost) the same. Moreover, we showed in Sect. 5 that 
one may pre-process the constraints for each cycle and eliminate rules that are 
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strictly decreasing. All our results can also be used together with dependency pair 
transformations [2,10,12] which often simplify (innermost) termination proofs. 

We implemented our results in the system AProVE 11 [14] and tested it on the 
130 terminating TRSs from [3,8,25]. The following table gives the percentage of 
the examples where termination could be proved within a timeout of 30 s and 
the time for running the system on all examples (including the ones where the 
proof failed). Our experiments were performed on a Pentium IV with 2.4 GHz 
and 1 GB memory. We used reduction pairs based on the embedding order, LPO, 
and linear polynomial interpretations with coefficients from {0, 1} (“Polo”). The 
table shows that with every refinement from Thm. 7 to Thm. 22, termination 
proving becomes more powerful and for more complex orders than embedding, 
efficiency also increases considerably. Moreover, a pre-processing with Thm. 23 
using “Polo” makes the approach even more powerful. Finally, if one also uses 
dependency pair transformations (“tr”), one can increase power further. To mea- 
sure the effect of our contributions, in the first 3 rows we did not use the tech- 
nique for innermost termination proofs, even if the TRS is non-overlapping. (If 
one applies the innermost termination technique in these examples, we can prove 
termination of 95 % of the examples in 23 s with “Polo”.) Finally, in the last row 
(“Inn”) we verified innermost termination with “Polo” and usable rules U(V) as 
in Thm. 17, with usable rules as in Thm. 22, with a pre-processing as 

in Thm. 23, and with dependency pair transformations. This row demonstrates 
that termination is now almost as easy to prove as innermost termination. To 
summarize, our experiments show that the contributions of this paper are in- 
deed relevant and successful in practice, since the reduction of constraints makes 
automated termination proving significantly more powerful and faster. 





Thm. 7 


Thm. 11 


Thm. 17 


Thm. 22 


Thm. 22, 23 


Thm. 22, 23, tr 


Emb 

LPO 

Polo 


39 s, 28 % 
606 s, 51 % 
9 s, 61 % 


7 s, 30 % 
569 s, 54 % 

8 s, 66 % 


42 s, 38 % 
261 s, 59 % 
5 s, 73 % 


50 s, 52 % 
229 s, 61 % 
5 s, 78 % 


51 s, 65 % 
234 s, 75 % 
6 s, 85 % 


82 s, 78 % 
256 s, 84 % 
9 s, 91 % 


Inn 






8 s, 78 % 


8 s, 82 % 


10 s, 88 % 


31 s, 97 % 
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Abstract. Right-(ground or variable) rewrite systems (RGV systems for short) 
are term rewrite systems where all right hand sides of rules are restricted to be ei- 
ther ground or a variable. We define a minimal rewrite extension R of the rewrite 
relation induced by a RGV system R. This extension admits a rewrite closure 
presentation, which can be effectively constructed from R. The rewrite closure is 
used to obtain decidability of the reachability, joinability, termination, and con- 
fluence properties of the RGV system R. We also show that the word problem 
and the unification problem are decidable for confluent RGV systems. We analyze 
the time complexity of the obtained procedures; for shallow RGV systems, termi- 
nation and confluence are exponential, which is the best possible result since all 
these problems are EXPTIME-hard for shallow RGV systems. 



1 Introduction 

It is being increasingly realized that theorem provers are most effective and useful in 
their incarnation as specialized decision procedures for restricted logics. This is true, in 
particular, for equational theories, where rewriting techniques have provided effective 
decision procedures. In the simplest case of equality between constants, rewrite rules, 
representing a Union-Find data structure, decide the word problem. At the next level, 
flat rewrite rules, in the form of abstract congruence closure, handle ground equational 
theories. This can be generalized to shallow-linear equational theories. 

In going from special to more general equational theories, the complexity of de- 
ciding various fundamental problems, like the word problem, termination, confluence, 
reachability, and joinability, increases until all these problems become undecidable. It is, 
therefore, fruitful to know how far the approach towards “specialized theorem provers” 
can take us. In this context, we consider RGV term rewrite systems, where every rule 
l — > r is such that r is either a ground term or a variable (and there are no restrictions 
on l). For example, the rules 0 + a; — > x, a: + 0 — > x, x + (—x) —> 0, (—a;) + x — > 0, 
and — (—a;) — > x are all of this kind. It is known that the word problem for this class of 

* Research of the first author was supported in part by the Spanish CICYT project MAVERISH 
ref. TIC2001-2476-C03-01. Research of the second author was supported in part by NSF grant 
CCR-0326540. 
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term rewriting systems is undecidable [12]. In this paper, we show that the reachability, 
joinability, termination, and confluence properties are decidable. We also show that the 
word problem is decidable for confluent RGV systems. We note here that most of these 
properties are undecidable even for very restricted classes of term rewrite systems [9]. 

Takai, Kaji, and Seki [14] showed that right-linear finite-path-overlapping systems 
effectively preserve recognizability. Since RGV systems are right-linear and finite -path- 
overlapping, it follows that the reachability and joinability problems for RGV systems 
are decidable. We obtain the same results using a different approach. Takai, Kaji, and 
Seki [14] construct a tree-automaton that represents all terms reachable from a given 
term, whereas we construct a rewrite closure (which works for all initial choices of 
terms). The generality of rewrite closure allows us to obtain new decidability results for 
confluence and termination. We believe that, apart from the main decidability results, our 
approach to obtaining them is also significant. We build on the simple cases in a modular 
way so that an implementation can seamlessly use efficient implementation of, say, 
the union-find data structure for handling equality between constants and congruence 
closure for ground theories (which itself uses the union-find as a subroutine). This is 
achieved by generalizing the existing definitions minimally, for example, flat rules of the 
form fc\ . . . c m -A c, are generalized to richer F-rules. Second, we make specialized 
use of more general concepts so that it is easy to see where further generalizations 
to larger classes of rewrite system fail. For instance, we use the canonical concept 
of rewrite closure, in parallel to congruence closure or convergent presentations, for 
nonsymmetric properties such as reachability. We show that RGV systems admit rewrite 
closure presentation, but only after we have introduced a new concept of minimal rewrite 
extensions R. 

The results described in this paper build upon our previous works [7,8]. Some of the 
techical proofs, which are easy extensions of previously published proofs, have been 
left out. The extension to RGV systems was motivated by the observation that several 
important axioms can be stated using collapsing rules (i.e, right variable rules). In our 
previous work, rewrite closure construction has been a crucial first step for deciding some 
properties of term rewrite systems. Intuitively, a rewrite closure for a rewrite system R 
is the union of two rewrite systems F U B such that the relations induced by R and 
byfUB coincide, and rewriting with F J B can be always re-ordered to rewrite first 
with only F, and then with only B\ moreover, F is (size-)decreasing whereas B is 
(size-)nondecreasing. 

The following example introduces the key ideas in the construction of a rewrite clo- 
sure for RGV rewrite systems. Consider the rewrite system R = {ci -A fc\ , C 2 — > 
fc 2 , Cl -A /cj , c 2 -A fc ' 2 , cj -A /c 3 , c' 2 -A fc 3 , gxx -A x} (we use 
the notation fci to represent f(c±) and gxx to represent g(x,x)). Note that R con- 
tains a size-decreasing rule gxx -A x and many size-increasing rules. The term gc\ c 2 
rewrites into fc 3 by R: gac 2 -Aci^/cj gf(.c[)c 2 -A C2 ^/^ s/(ci)/(c 2 ) -> C '_>/ C3 
5/(/c 3 )c 2 A c ^ /c 3 s/(/c 3 )/(/c 3 ) -+ gxx ^ x /(/c 3 ). But the first four rewrite steps 
are increasing and the last one is decreasing, and hence, this derivation is not of the re- 
quired form. In order to construct a rewrite closure for R, we replace the rule gxx -A x 
by the constrained rule gx ix 2 -A x 3 if {x 3 ; x\,x 2 }. A substitution a is a solution to 
the constraint {x 3 ; x±, x 2 } if x 3 a is reachable from X\<j and x 2 a. Hence, this new rule 
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represents all the rules gs\S 2 —> S 3 such that S 3 is reachable from si and s 2 by the in- 
creasing rules; and in particular, <?cic 2 —>■ /(/C 3 ). But these new rules are not necessarily 
decreasing, and consequently we cannot claim that we have a rewrite closure. The other 
ingredient we need is the introduction of new constants like C{ 12 } that represent all the 
terms reachable from ci and c 2 . Hence, we need to add new rules like c/ 1)2 \ —> /cp/^u 
and C{i/ )2 /} fc 3 , and now, we have the derivation gac 2 -+ gXlX2 ^ X3 if { X3 - Xl , X2 } 
C{ 1 , 2 } -^c {1 , 2} ^/ C{1 , i3 , } fc{ i', 2 '} -^c { 1 , i 2 ,j^/c 3 /(/C 3 ) of the required form. 

Outline of the paper. Section 2 introduces some basic notions and notations. In Sec- 
tion 3 we argue that we can make some simplifying assumptions on the initial RGV 
system R without loss of generality. These will simplify the arguments in the rest of the 
paper. Section 4 introduces the concept of minimum joining extension R of a rewrite 
system R, and shows that this extension preserves some properties of the original R. 
Section 5 defines the concept of constrained rewriting with joinability constraints. In 
Section 6 we construct a rewrite closure for R. As a consequence, we obtain the de- 
cidability of reachability and joinability for RGV systems. In Section 7 we prove the 
decidability of termination for RGV systems. In Section 8 we give a characterization of 
the confluence of RGV systems, and use it to prove the decidability of confluence for 
RGV systems, and the decidability of the word problem for confluent RGV systems. In 
Section 9 we briefly analyse the complexity of all the presented algorithms. 

2 Preliminaries 

We use standard notation from the term rewriting literature. A signature £ is a (finite) 
set of function symbols, which is partitioned as LI* 17* such that / £ £ n if arity of / is n. 
Symbols in 27 0 , called constants , are denoted by a, b. c, d, with possible subscripts. The 
elements of a set X of variable symbols are denoted by x. y with possible subscripts. The 
set 1~(£, A’) of terms over £ and X, position p in a term, subterm t\ p of term t at position 
p, and the term /[s] p obtained by replacing t\ p by s are defined in the standard way. For 
example, if t is f(a,g(b,h(c)),d ), then f| 2 . 2 .i = c, and f[d] 2 . 2 = f(a,g(b,d),d). By 
t[s 1 ,s 2 , • • • , s„] pi ,p 2 ,...,p n we denote i[si] Pl [s 2 ] P2 . . . [s n ] Pri . By Pos(t) we denote the 
set of all positions p such that t\ p is defined. By Vars(t) we denote the set of all 
variables occurring in t. The height of a term s is 0 if s is a variable or a constant, and 
1 + maXiheight(si) if s = f(s 1 , . . . , s m ). Usually we will denote a term f(ti , . . . , t n ) 
by the simplified form ft\ . . . t n , and t [s] p by t [s] when p is clear by the context or not 
important. 

A substitution o is sometimes presented explicitly as {aq 1 — >• i-»- t n }. 

We assume standard definition for a rewrite rule l — > r, a rewrite system R, the one 
step rewrite relation at position p induced by R —>r, p , and the one step rewrite relation 
induced by R (at any position) —>r. If R is any rewrite system, then R~ denotes the 
rewrite system {r — > l \ l — > r £ R}. If p = A, then the rewrite step — >r p is said to be 
applied at the topmost position (at the root) and is denoted by s t ; it is denoted by 
s — t otherwise. With s — ^ t we denote a derivation s -^-* R t where all the rules are 
applied at disjoint positions, i.e. this derivation is not of the form s^ R ° ->fl,p o 

~**R 

o — y R q o — y* R t, where p is a prefix of q or q is a prefix of p. 
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The notations o, — > + , and — >•*, are used respectively for the symmetric, transitive, 
and reflexive-transitive closure of a binary relation -A. A rewrite system R is confluent 
if the relation A- * R ° ->• *R is contained in — >* o <— *, which is equivalent to the relation 
^R being contained in — >■* o <—* (called the Church-Rosser property). A term t is 
reachable from s by R if s^r t- A term s is R-irreducible (or, in /(-normal form) if 
there is no term t such that s t. We denote by s —y R t, or t = NF R (s), the fact 
that an /(-irreducible term i is reachable from s by R. Two terms s and t are said to be 
equivalent by R (or, /(-equivalent) if s^*r t. The terms s and t are R-joinable, denoted 
by s t, if s — > R o <r- * R t. A (rewrite) derivation or proof (from s) is a sequence of 
rewrite steps (starting from s), that is, a sequence s si —>r S2 —>r ■ ■ ■■ 

A TRS R is terminating if there is no infinite derivation s — si — > R S2 —>r 
Termination is usually ensured by showing that the rewrite system R is contained in a 
reduction ordering [5]. A confluent and terminating term rewrite system is said to be 
convergent. 

A term t is called ground if t contains no variables. A term rewrite system R is 
right-( ground or variable) (RGV) if for every l — > r £ R, the term r is either ground, 
or a variable. 

3 Simplifying Assumptions on the Initial RGV System 

Let R be a RGV term rewrite system over the signature £. We henceforth assume that a 
left hand side of a rule in R is not a variable. If this were the case, R would be trivially 
not terminating, and either it would be trivially confluent or this rule would be useless 
(of the form x — > x). For reachability and joinability, the procedures introduced here 
can be easily adapted to handle rules of this kind. 

We assume, without loss of generality, that (a) the rewrite system R is over the 
signature £ = £ 0 U £ m , where £ 0 = {ci . . .c n j and E rn = {/}, and (b) R is 
partitioned into F U B in such a way that F contains rules of the form fs\ . . . s m — > a 
(where a is a constant or a variable, or, in short, a height 0 term); whereas B contains 
rules of the form c fc\ . . . c m and rules of the form c — > d. The first assumption is 
made to simplify the presentation of proofs and is not crucial for correctness. 

These transformations are standard and have been formally presented before [7,8]. 
We will instead just give an example. 

Example 1. Let £q = {a}, £i = {<?}, and £ 2 = {h}. Terms over the signature U jKj 
can be mapped onto terms over a new signature £' 3 U £' 0 where £ 3 = {/} and £' 0 = 
{a, g, h}. The term a is mapped to /(a, a, a), the term g(x) to f(x, g , g), and the term 
h{a,g(x)) to /(/(a, a, a),f(x,g,g),h). 

The second transformation is achieved by flattening right-hand side ground terms. 
For example, the rewrite rule s —> f(f(a 1 a,a) 1 f(a,g,g) 1 h) is replaced by s — > c\, 
while introducing the new /(-rules ci —> /C2C3/1, C2 —> faaa, and C3 —> fagg. 

4 New Constants and the Minimum Joining Extension 

Let R be a RGV system. Suppose fxx x is a rewrite rule in R. We shall see in later 
sections that it is useful to interpret the rule fxx — > x as representing all the instances 




